I-Worm.Avron
Avron is a worm virus spreading via the Internet as an attachment to infected emails and through local area networks by copying itself to shared network drives. The worm has a password stealing routine.
The worm itself is a Windows PE EXE file approx. 26KB in length when compressed by UPX, the decompressed size is about 57KB; it is written in Microsoft Visual C++.
The worm has bugs in its code and fails to spread under some system conditions.
Installing
While installing the worm copies itself to the Windows system directory under a random name, for example:
2dadd52doc.ex
ef23h672.exe
and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Mortimer = %worm file name%
Spreading: via email
The 'avron' worm looks for victim emails in the WAB database as
well as in files with the following extensions:
.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML
To send out infected emails the worm connects to the default SMTP server.
Infected messages have the following attributes:
The From: field has the real sender's address, it is one of real email addresses found on the computer (see above), or randomly selected from the list:
IIS Exchange Board iis@microsoft.com
IREX/ORG
RART Team
Stimon online
Rudolf Ginsberg
Avril Lavigne
ACTR/Accels
The Subject: is randomly selected from the following variants:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions
The message Body is in HTML format and is randomly selected from the following variants:
Body1:
EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing
Body2:
Restricted area response team (RART)
Attachment you sent to %random worm% is really good :-)
Well done!
SMTP session error #450: service not ready
Body3:
>See this in attached files
>>New PICS of Avril Lavigne!!!
>>It is honourable when you do it!!!
The attached file name is randomly selected from the following list:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
While spreading, the worm creates the temporary file named NewBoot.sys in the Temp directory.
The worm also creates the file listrecp.dll in the Windows directory and writes the list of victim emails addresses this file.
The worm randomly uses the Iframe security breach to automatically run itself from infected messages. When this is not the case the infected messages are "pure" HTML messages without the "IFrame" tag.
Spreading: Via networks
'Avron' copies itself under random names to the \RECYCLED directory on all available logical drives (including shared network drives). If there is no \RECYCLED directory the worm copies itself to the root drives.
To run on affected machines the worm adds a command to the \autoexec.bat file on the same drive.
Password Stealing Routine
This routine enumerates (puts into numerical format) cached passwords and sends them to the otto_psws@pochta.ws email address with the email subject: Password Got.
Payload
On the 7th and 24th of any month the worm starts a routine that randomly moves the mouse cursor on the monitor screen and then opens the Web page:
http://www.avril-lavigne.com
Other
The 'avron' worm also starts a routine that permanently looks for anti-virus programs and active firewall processes and tries to terminate them.
'Avron' creates a text file with a random name and a .TXT extension in the Temp directory and writes the following text to this .txt file:
Author ------> 2002 (c) Otto von Gutenberg
Made in -----> Almaty .::]Kazakhstan[::. (:;)--:>
Purpose -----> Only Educational
Virus name --> AVRIL (please do not change it)
[ATTENTION]
The author has no response of the damages
caused by AVRIL.
[DESCRIPTION]
For my lovely Avril Lavigne dedicated.
She lives in Canada and she's beautiful.
This is for AV companies:
Why? Why? Why don't you update your KB (knowledge bases)
on my serial and yet serious masterpieces?!
I guess that of AVRIL will get you thought of it.
NO DESTRUCTIVE ACTION!
[ACKNOWLEDGEMENT]
Antoher V0X & Hacker Group from Central Asia
Thanx to Rage, Razum and V-HiV; coderz.net, indovirus.net, securitylab.ru
etc.
Thank you for ideas approach to us!!!
Bye
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
All Trade names and Trade marks
are hereby acknowledged as being the property of the Registered Owners
181202/100904/031004
