Hosting Provided By

Re: Virus LIRVA

From: Sorin Mustaca <sorin.mustaca(at)ravantivirus.com>
Date: Wed Jan 08 2003 - 04:36:32 EST

Read below

Pascal Schelcher wrote:

> Hello,
>
> Does anybody know the LIRVA.A worm ?
> I have some virus alerts about that.
>
> Thanks,
> Pascal Schelcher.
>
>
>
> This mail was scanned by RAV AntiVirus
>
> on behalf of GeCAD Software.

Virus name: Win32/Naith.A@mm
Virus type: I_Worm
Aliases: Win32/Arvil, Win32/Livra, I-Worm.Livra Infected objects: SYSTEM
Distribution: Common
Region reported: Europe
Description: This is a new internet worm reported ItW.

Naith was written in VisualC and then packed with a patched [to avoid unpacking] version of the well known UPX executable packer.

When executed, Naith will create 1 thread and wait for its completion. First it checks for a mutex called "AVRIL_LAVIGNE_LET_GO" - if such a mutex exists, Naith simply exits [this is to avoid multiple copies of itself from running in the same time]. Next, the thread will enumerate the process list and stop processes matching the following patterns:

"AVP32.EXE", "AVPMON.EXE", "ZONEALARM.EXE", "VSHWIN32.EXE", "VET95.EXE",
"TBSCAN.EXE", "SERV95.EXE", "SCAN32.EXE", "RAV7.EXE", "NAVW.EXE",
"OUTPOST.EXE", "NMAIN.EXE", "NAVNT.EXE", "MPFTRAY.EXE",
"LOCKDOWN2000.EXE", "ICSSUPPNT.EXE", "ICLOAD95.EXE", "IAMAPP.EXE",
"FINDVIRU.EXE", "F-AGNT95.EXE", "DV95.EXE", "DV95_O.EXE",
"CLAW95CT.EXE", "CFIAUDIT.EXE", "AVWUPD32.EXE", "AVPTC32.EXE",
"_AVP32.EXE", "AVGCTRL.EXE", "APVXDWIN.EXE", "_AVPCC.EXE", "AVPCC.EXE",
"WFINDV32.EXE", "VSECOMR.EXE", "TDS2-NT.EXE", "SWEEP95.EXE",
"SCRSCAN.EXE", "SAFEWEB.EXE", "PERSFW.EXE", "NAVSCHED.EXE", "NVC95.EXE",
"NISUM.EXE", "NAVLU32.EXE", "MOOLIVE.EXE", "JED.EXE", "ICSUPP95.EXE",
"IBMAVSP.EXE", "FRW.EXE", "F-STOPW.EXE", "ESPWATCH.EXE", "DVP95.EXE",
"CLAW95.EXE", "CFIADMIN.EXE", "AVWIN95.EXE", "AVPM.EXE", "AVP.EXE",
"AVE32.EXE", "ANTI-TROJAN.EXE", "WEBSCAN.EXE", "WEBSCANX.EXE",
"VSSCAN40.EXE", "TDS2-98.EXE", "SPHINX.EXE", "SCANPM.EXE", "RESCUE.EXE",
"PCFWALLICON.EXE", "PAVCL.EXE", "NUPGRADE.EXE", "NAVWNT.EXE",
"NAVAPW32.EXE", "LUALL.EXE", "IOMON98.EXE", "ICMOON.EXE", "IBMASN.EXE",
"FPROT.EXE", "F-PROT95.EXE", "ESAFE.EXE", "CLEANER3.EXE",
"EFINET32.EXE", "BLACKICE.EXE", "AVSCHED32.EXE", "AVPDOS32.EXE",
"AVPNT.EXE", "AVCONSOL.EXE", "ACKWIN32.EXE", "VSSTAT.EXE",
"VETTRAY.EXE", "TCA.EXE", "SMC.EXE", "SCAN95.EXE", "RAV7WIN.EXE",
"PCCWIN98.EXE", "PADMIN.EXE", "NORMIST.EXE", "NAVW32.EXE",
"N32SCAN.EXE", "LOOKOUT.EXE", "IFACE.EXE", "ICLOADNT.EXE",
"IAMSERV.EXE", "FP-WIN.EXE", "F-PROT.EXE", "ECENGINE.EXE",
"CLEANER.EXE", "CFIND.EXE", "BLACKD.EXE", "AVPUPD.EXE", "AVKSERV.EXE",
"AUTODOWN.EXE", "_AVPM.EXE", "AVPM.EXE", "KPFW32.EXE", "KPF.EXE".
Applications with window names matching the following patterns are also killed:

"Norton", "AVP", "Anti", "Virus", "McAfee", "anti", "virus".

Do you need help?

A thread will continuously (with delays of 35 seconds between each check) scan for processes matching the above patterns and kill them.

Next, it will copy itself with randomly generated filename into the SYSTEM directory [ex: "c5edc58aEff.EXE"] - that filename will be registered into the HKLM\Software\Microsoft\Windows\CurrentVersion\Run as "Avril Laginge - Muse" key to allow itself to start each time Windows starts.

It also copies itself into the temporary directory.

Files matching the following patterns are scanned for valid e-mail addresses:

".DBX", ".MBX", ".WAB", ".HTML", ".EML", ".HTM", ".TBB", ".SHTML",
".NCH", ".IDX".
Naith will mass mail itself using one of the following patterns:

Subject:

Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger

Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach Fwd: Re: Reply on account for Incorrect MIME-header

Attachment filename:

"Resume.exe", "Download.exe", "MSO-Patch-0071.exe",
"MSO-Patch-0035.exe", "Two-Up-Secretly.exe", "Transcripts.exe",
"Readme.exe", "AvrilSmiles.exe", "AvrilLavigne.exe", "Complicated.exe",
"Singles.exe", "Sophos.exe", "Cogito_Ergo_Sum.exe",
"CERT-Vuln-Info.exe", "Sk8erBoi.exe", "IAmWiThYoU.exe".

Do you need more help?

Naith also uses the HTML/Iframe_Exploit witch allows itself to run without user interaction under unpatched systems.

Body:

Restricted area response team (RART)

Attachment you sent to %s is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch

Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.

Patch is also provided to subscribed list of Microsoft® Tech Support:

Naith also acts like a Kazza worm, copying itself into the Kazza shared folder with one of the same filenames that it uses for attachments.

It also drops a script.ini mIRC script, used to send self via IRC when a new user will join a channel.

If the ICQ instant messenger is installed, Naith attempts to send itself to all the contacts listed in the Contact list.

Can we help you?

A text file named "avril-ii.inf" is created in the temporary directory, with the following contents:

2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER Avril-II is commonly dangerous because of its over-trojaned issues Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru) and Weisses Fleisch Project (http://wf.h1.ru) Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

Naith is also a password stealer, sending confidential data to
"otto_psws@smtp.ru".

If the current day of the month is 7, 11 or 24 the payload routine will be called. First, it will open the following url in the current internet browser:
http://www.avril-lavigne.com
Next, the string "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg" will be continuously displayed on the desktop during a graphical effect.

-- 



*Sorin Mustaca*
Software Engineer RAV Division

www.RAVAntivirus.com <
http://www.RAVAntivirus.com>

sorin.mustaca@ravantivirus.com
ICQ:68199572 AIM:mustacasorin MSN:sorin_mustaca@hotmail.com

Received on Wed Jan 8 13:54:23 2003

This message: [ Message body ]
Next message: Nick FitzGerald: "RE: Virus LIRVA[Scanned]"
Previous message: Pascal Schelcher: "Virus LIRVA - Thanks at all"
In reply to: Pascal Schelcher: "Virus LIRVA"
Next in thread: Hugo Deckx: "RE: Virus LIRVA"
Reply: Hugo Deckx: "RE: Virus LIRVA"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT