Description
Win32.HLLM.Avril.2 is a mass-mailing worm written in Microsoft Visual С++ high-level programming language. Infects systems running under Windows 95/98/Me/NT/2000/XP. The worm is packed with UPX packer, its packed size is 34,815 bytes.
To spread the worm makes use of e-mail, the addresses found by the worm in files with .IDX, .NCH, .SHTML, .TBB, .HTM, .EML, .HTML, .WAB, .MBX, .DBX extensions, shared drives of the local network, IRC, ICQ and peer-to-peer KaZaA network.
To penetrate the system the worm exploits a long known incorrect MIME header vulnerability which allows an executable file (containing a virus code) to automatically run even at an email previewing in such mail clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5). It is worth noting that the HTML code that is potentially dangerous is created by executing a JavaScript thus avoiding detection by some anti-virus programs at mail servers.
Spreading
For e-mail propagation the worm makes use of its own SMTP engine. It retrieves the necessary information on SMTP server of the affected machine from the following registry entry:
HKCU\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts\\....\\SMTP Server
HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\
The mail message sent by the worm looks as follows:
Subject: always begins with RE: or FW:, thus making impressions the message is an answer to the letter sent from the infected machine or it has been forwarded and can be one of the following:
Fw: Redirection error notification Re: Brigada Ocho Free membership Re: According to Purge\'s Statement Fw: Avril Lavigne - CHART ATTACK! Re: Reply on account for IIS-Security Breach (TFTP) Re: ACTR/ACCELS Transcriptions Re: IREX admits you to take in FSAU 2003 Fwd: Re: Have U requested Avril Lavigne bio? Re: Reply on account for IFRAME-Security breach Fwd: Re: Reply on account for Incorrect MIME-header Re: Vote seniors masters - don\'t miss it! Fwd: RFC-0245 Specification requested... Fwd: RFC-0841 Specification requested... Fw: F. M. Dostoyevsky \"Crime and Punishment\" Re: Junior Achievement Re: Ha perduto qualque cosa signora?
The message body: there are several variants of the text in the worm`s body forming the infected message.
AVRIL LAVIGNE - THE CHART ATTACK! Vote fo4r Complicated! Vote fo4r Sk8er Boi! Vote fo4r I\'m with you! Chart attack active list:
AVRIL LAVIGNE - THE BEST Avril Lavigne\'s popularity increases:> SO: First, Vote on TRL for I\'m With U! Next, Update your pics database! Chart attack active list .>.>\"
Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft® Tech Support:
Restricted area response team (RART) Attachment you sent to is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Subject is chosen by the worm from the following list and always has .exe. extension:
Resume.exe ADialer.exe MSO-Patch-0071.exe MSO-Patch-0035.exe Two-Up-Secretly.exe Transcripts.exe Readme.exe AvrilSmiles.exe AvrilLavigne.exe Complicated.exe TrickerTape.exe Sophos.exe Cogito_Ergo_Sum.exe CERT-Vuln-Info.exe Sk8erBoi.exe IAmWiThYoU.exe Phantom.exe EntradoDePer.exe SiamoDiTe.exe BioData.exe ALavigne.exeWhen mass-mailing its copies te worm attaches to the messages randomly chosen document files with DOC and TXT extensions found in infected system. Thus, any confidential information to which the worm might have access may become public.
Action
The worm makes attempts to terminate some anti-virus and security related programs:
KPF.EXE KPFW32.EXE _AVPM.EXE AUTODOWN.EXE AVKSERV.EXE AVPUPD.EXE BLACKD.EXE CFIND.EXE CLEANER.EXE ECENGINE.EXE F-PROT.EXE FP-WIN.EXE IAMSERV.EXE ICLOADNT.EXE IFACE.EXE LOOKOUT.EXE N32SCAN.EXE NAVW32.EXE NORMIST.EXE PADMIN.EXE PCCWIN98.EXE RAV7WIN.EXE SCAN95.EXE SMC.EXE TCA.EXE VETTRAY.EXE VSSTAT.EXE ACKWIN32.EXE AVCONSOL.EXE AVPNT.EXE AVPDOS32.EXE AVSCHED32.EXE BLACKICE.EXE EFINET32.EXE CLEANER3.EXE ESAFE.EXE F-PROT95.EXE FPROT.EXE IBMASN.EXE ICMOON.EXE IOMON98.EXE LUALL.EXE NAVAPW32.EXE NAVWNT.EXE NUPGRADE.EXE PAVCL.EXE PCFWALLICON.EXE RESCUE.EXE SCANPM.EXE SPHINX.EXE TDS2-98.EXE VSSCAN40.EXE WEBSCANX.EXE WEBSCAN.EXE ANTI-TROJAN.EXE AVE32.EXE AVP.EXE AVPM.EXE AVWIN95.EXE CFIADMIN.EXE CLAW95.EXE DVP95.EXE ESPWATCH.EXE F-STOPW.EXE FRW.EXE IBMAVSP.EXE ICSUPP95.EXE JED.EXE MOOLIVE.EXE NAVLU32.EXE NISUM.EXE NVC95.EXE NAVSCHED.EXE PERSFW.EXE SAFEWEB.EXE SCRSCAN.EXE SWEEP95.EXE TDS2-NT.EXE VSECOMR.EXE WFINDV32.EXE AVPCC.EXE _AVPCC.EXE APVXDWIN.EXE AVGCTRL.EXE _AVP32.EXE AVPTC32.EXE AVWUPD32.EXE CFIAUDIT.EXE CLAW95CT.EXE DV95_O.EXE DV95.EXE F-AGNT95.EXE FINDVIRU.EXE IAMAPP.EXE ICLOAD95.EXE ICSSUPPNT.EXE LOCKDOWN2000.EXE MPFTRAY.EXE NAVNT.EXE NMAIN.EXE OUTPOST.EXE NAVW.EXE RAV7.EXE SCAN32.EXE SERV95.EXE TBSCAN.EXE VET95.EXE VSHWIN32.EXE ZONEALARM.EXE AVPMON.EXE AVP32.EXEThe worm also stops the processes in the windows of which it founds the following strings:
virus anti McAfee Virus Anti AVP NortonIf released on the computer the worm tries to connect to http://web.host.kz and download BackOrifice trojan (this action has been turned impossible since January 9th, 2003).
On the 7th, 11th or 24th of any month it opens the web-page http://www.avril-lavigne.com and displays colourful graphics on the Active Desktop.
The worm sends PWL-files containing users passwords of the compromised system to the following addresses:
otto_aw@smtp.ru otto_alavigne@smtp.ru otto_avril_ii@smtp.ru otto_avril@smtp.ru