Virus Database

I-Worm.Avron.a

Description I-Worm.Avron.a

This is a worm virus spreading via the Internet being attached to infected emails and through local network by copying itself to shared network drives. The worm has password stealing routines.
The worm itself is a Windows PE EXE file written in Microsoft Visual C++. The size of the worm is various and depends on its version:
I-Worm.Avron.a:
26Kb (compressed by UPX, decompressed size - about 57Kb),
I-Worm.Avron.b:
34Kb (compressed by UPX)
I-Worm.Avron.b:
33Kb (compressed by UPX)
The worm has bugs in its code and fails to spread under some system conditions.
Installing
While installing the worm copies itself to Windows system directory with the random name, for example:
2dadd52doc.ex
ef23h672.exe


and registers that file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
I-Worm.Avron.a:
Mortimer = %worm file name%
I-Worm.Avron.b, I-Worm.Avron.c:
Avril Lavigne - Muse = %worm file name%

Spreading: E-Mail
The worm looks for victim emails in WAB database, as well as looks for files with following extensions and gets email-like strings from there:
.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML

To send infected emails the worm connects to default SMTP server.
The infected messages have:
"From" field has real sender's address, it is one of real email addresses found on the computer (see above), or randomly selected from the list:
IIS Exchange Board
IREX/ORG
RART Team
Stimon online
Rudolf Ginsberg
Avril Lavigne
ACTR/Accels

"Subject" is randomly selected from the variants:
I-Worm.Avron.a:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions

I-Worm.Avron.b:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purges Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - dont miss it!
Fwd: RFC-0245 Specification requestedall
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?

I-Worm.Avron.c:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

The message "Body" is HTML format and is randomly selected from variants:
I-Worm.Avron.a:
Body1:
EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing

Body2:
Restricted area response team (RART)

Attachment you sent to %random worm% is really good :-)
Well done!

SMTP session error #450: service not ready

Body3:
>See this in attached files
>>New PICS of Avril Lavigne!!!
>>It is honourable when you do it!!!

I-Worm.Avron.b:
Body1:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so Patch is also provided to subscribed list of Microsoft Tech
Support:
Patch :
Date :

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Body4:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

I-Worm.Avron.c:
Body1:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so
Patch is also provided to subscribed list of Microsoft® Tech Support:

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Attached file name is randomly selected from the list:
I-Worm.Avron.a:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe

I-Worm.Avron.b:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe

I-Worm.Avron.c:
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe

While spreading the worm creates temporary "NewBoot.sys" file in Temp directory.
The worm also creates "listrecp.dll" in Windows directory and writes the list of victim emails to there.
The worm randomly uses "IFrame" security breach to run automatically from infected messages. In rest of cases the infected messages are "pure" HTML messages without "IFrame" tag.
Spreading: Network
The worm copies itself with random names to RECYCLED directory on all available logical drives (including shared network drives). If there is no RECYCLED directory, the worm copies itself to the root drives.
To run on an affected machine the worm adds a command to "autoexec.bat" file on the same drive.
Spreading: ICQ and IRC
The "b" and "c" variants of the worm searches for the "ICQMapi.dll" library and tries to send their copies to the recipients of the ICQ Contact List. They also create the "script.ini" file in the mIRC directory, so that their copies are sent to the IRC channels the user connects to.
Spreading: Kazaa
The "b" and "c" variants of the worm copy themselves to the Kazaa shared directory with a random name.
Password Stealing Routine
This routine enumerates cached passwords and sends them to the "otto_psws@pochta.ws" email address with the "Password Got" subject.
Payload
On 7th and 24th of any month the worm starts a routine that randomly moves the mouse cursor on the screen, and then opens the Web page:
http://www.avril-lavigne.com
The "b" and "c" modifications of the worm execute the same payload on the 11th day of any month, too.
Other
The worm also starts a routine that permanently looks for anti-virus and firewalls active processes, and tries to terminate them.
The worm creates a text file with random name and .TXT extension in Temp directory and writes following text to there:
I-Worm.Avron.a:
Author ------> 2002 (c) Otto von Gutenberg
Made in -----> Almaty .::]Kazakhstan[::. (:;)--:>
Purpose -----> Only Educational
Virus name --> AVRIL (please do not change it)

[ATTENTION]
The author has no response of the damages
caused by AVRIL.

[DESCRIPTION]
For my lovely Avril Lavigne dedicated.
She lives in Canada and she's beautiful.
This is for AV companies:
Why? Why? Why don't you update your KB (knowledge bases)
on my serial and yet serious masterpieces?!
I guess that of AVRIL will get you thought of it.
NO DESTRUCTIVE ACTION!

[ACKNOWLEDGEMENT]
Antoher V0X & Hacker Group from Central Asia
Thanx to Rage, Razum and V-HiV; coderz.net, indovirus.net, securitylab.ru etc.

Thank you for ideas approach to us!!!
Bye

I-Worm.Avron.b:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included

P.S.> How is my work?

Cheerz, Otto (www.otto-koden.h1.ru)

I-Worm.Avron.c:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru) and Weisses Fleisch Project (http://wf.h1.ru)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

Check other viruses! Be aware! Use Antiviral Software

HongKang.1904

Description HongKang.1904

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or accessed by DOS functions FindFirst/Next FCB (DIR command). The virus has a bug and cannot infect files under "standard" DOS.
On April 7th it decrypts and displays the message:
Celebrate HongKang return to CHINA 1997 !

The virus then deletes files instead of infecting them.

HongKong.4056

Description HongKong.4056

This is a relatively harmless, memory resident encrypted parasitic virus. It writes itself to the end of COM files (except COMMAND.COM), to the middle of EXE files and to the MBR of the hard drive. When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 13h and 21h (as well as upon loading from infected MBR), and then infects files that are executed. By hooking INT 13h, the virus realizes its stealth routine and does not allow read/write from/to infect the MBR sector.
When an infected file is executed, the virus checks the command line. Depending on some characteristic in this line (double-byte Chinese letter?), the virus either disinfects the MBR, or displays the following message:
HONG KONG 1997

This message is also displayed by the virus on July 1st.
The virus uses several tricks. While infecting the MBR, it fills the Disk Partition Table with data that makes MS-DOS (including DOS 7.0) to go to endless loop while loading from a floppy disk. As a result, it is not possible to detect/disinfect this virus by loading from a non-infected floppy disk with an anti-virus or data rescue tool.
The second trick is on-the-fly en/decryption by using the Trace mode (INT 1). 90% of the virus' Assembler instructions are mixed with random junk bytes. By using a tracing mode, the virus skips these junk bytes.

Home