Win32.HLLM.Avril.1

Description

Win32.HLLM.Avril.1 is a mass-mailing worm written in Microsoft Visual С++ high-level programming language. Infects systems running under Windows 95/98/Me/NT/2000/XP. The worm is packed with UPX packer, its packed size is 32,766 bytes.
To spread the worm makes use of e-mail, the addresses found by the worm in files with DBX, EML, IDX, HTML,HTM, MBX, NCH, TBB, SHTML, WAB extensions, shared drives of the local network, IRC, ICQ and peer-to-peer KaZaA network. The worm does not check if the addresses found in files with the above mentioned extensions are address is valid, that is why in the process of its mass-mailing Win32.HLLM.Avril.1 uses any combinations like this: xxxx@xxxxx. It stores the retrieved addresses in file listrecp.dll placed to Windows folder.

To penetrate a system the worm exploits a long known incorrect MIME header vulnerability which allows a program file (containing a virus program) to automatically run even at an email previewing in such clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).

Spreading

For e-mail propagation the worm makes use of its own SMTP engine. It retrieves an information on SMTP server of the affected machine from the following registry entries:

HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\......\\SMTP Server
HKCU\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts\\.....\\SMTP Server

The mail message sent by the worm looks as follows:

Subject: always begins with RE: or FW:, thus making impressions the message is an answer to the letter sent from the infected machine or it has been forwarded and can be one of the following:

Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

The message body: there are several variants of the text in the worm`s body forming the infected message.

Avril fans subscription FanList admits you to take in Avril Lavigne 2003 
Billboard awards ceremony Vote for I\'m with you! Admission form 
attached below
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 
and 5.0 that is eliminated by a previously-released patch. 
Customers who have applied that patch are already protected against
the vulnerability and do not need to take additional action. 
Microsoft strongly urges all customers using IIS 4.0 and 5.0
 who have not already done so to apply the patch immediately. 
Patch is also provided to subscribed list of Microsoft® Tech Support:
     
Restricted area response team (RART) Attachment you sent to 
(then follows the address analogues to the address in the FROM: field)
 is intended to overwrite start address at 0000:HH4F 
To prevent from the further buffer overflow attacks apply the 
MSO-patch

Attachment: is chosen by the worm from the following list and always contains .exe. extension:

IAmWiThYoU.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Readme.exe
Resume.exe
Sk8erBoi.exe
Singles.exe
Sophos.exe
Two-Up-Secretly.exe
Transcripts.exe

To spread via shared drives the worm drops its copy to the Windows\\Recycled folder in the form of the randomly named file with .EXE extension. It modifies the file AUTOEXEC.BAT of such shared drive to secure its automatic execution at every Windows start-up: @win \\RECYCLED\\dropped file name

To propagate via mIRC it drops a modified file SCRIPT.INI to mIRC folder. As a result after the connection to IRC server of the infected machine is established a forced connection to #avrillavigne channel takes place and the worm starts sending its viral copies to all users connected to this channel.

To propagate via ICQ the worm searcehs for ICQ folder in the registry entry
HKEY_LOCAL_MACHINE\\Microsoft\\Windows\\CurrentVersion\\ App Paths\\ICQ.EXE\\
and, if found, it copies the file ICQMAPI.DLL to the %System% folder. After that it starts sending itself to all contacts contained in local ICQ folder of the infected machine.

To propagate via KaZaA network in the registry entry
HKEY_CURRENT_USER\\Software\\KaZaA\\Transfer\\DlDir0
the worm searches for the KaZaA folder and then copies itself to it in the form of the randomly named file with .EXE extension; after that it becomes accessible for all peer-to-peer network users.

Action

When run the worm copies itself to the Windows\\System folder (in Windows 9x and Windows ME it is C:\\Windows\\System, in Windows NT/2000 it is C:\\WINNT\\System32, in Windows XP it is C:\\Windows\\System32) as an executable file with .EXE extension and with the name generated by the worm of 11 symbols. To secure its automatic execution the worm modifies the registry entry
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ Run\\Avril Lavigne - Muse = \\generated by the worm name.exe. Additionally, the worm creates one more registry enrty HKEY_LOCAL_MACHINE\\Software\\OvG to which it adds the value \"DONE\". It also creates a mutex AVRIL_LAVIGNE_LET_GO to mark its presence in the system.

It also drops two more copies of itself to the Windows\\Temp folder. The first file` s name will be analogues to that the worm arrived to the victim computer, the second one will have .TFT extension and no fixed name.

The worm also places a simple text file named avril_ii.inf to the same folder in the which there are the following strings:

Avril-II
Made in .::]|KaZAkHstaN|[::.
2002 (c) Otto von Gutenberg

The worm makes attempts to terminate certain anti-virus and security related programs:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIND.EXE
CLAW95.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
ECENGINE.EXE
EFINET32.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE

On the 7th, 11th and 24th of any month the worm opens the web-page http://www.avril-lavigne.com and displays colourful graphics on the Active Desktop.

$\"avril-1\"$

The worm can steal passwords from users` files (*.PWL) to send them in future to a certain e-mail address.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES