Virus Database

MultiLevel.3072

Description MultiLevel.3072

It is a very dangerous memory resident polymorphic and stealth parasitic virus. While executing an infected file the virus traces INT 21h to get its original address, hooks INT 22h (DOS function Terminate), releases the control and waits for termination of the host program. Then it hooks INT 21h and stays memory resident.
While accessing to the files the virus infects them. While reading, writing or opening an infected file the virus calls the stealth routine, and in some cases disinfects the file. While infecting a file the virus generates the polymorphic code that contains several decryption loops. The number of these loops depends on the system timer.
The virus checks the file name and does not infect the files:
*AIDS*.EXE *CHKD*.EXE *WEB*.EXE *SCAN*.EXE *PROT*.EXE *AR*.EXE *ZI*.EXE
*TB*.EXE *COMM*.COM *WIN*.COM

Depending on the system date (Sunday 2nd, Monday 4th, Tuesday 6th, Wednesday 8th, Thursday 10th, Saturday 12th) the virus erases the hard drive sectors and reboots the computer.
The virus contains the text strings:
Multilevel Encryptor v1.0. Generation:
-=Killer=-
8 in 1

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Avron.a

Description I-Worm.Avron.a

This is a worm virus spreading via the Internet being attached to infected emails and through local network by copying itself to shared network drives. The worm has password stealing routines.
The worm itself is a Windows PE EXE file written in Microsoft Visual C++. The size of the worm is various and depends on its version:
I-Worm.Avron.a:
26Kb (compressed by UPX, decompressed size - about 57Kb),
I-Worm.Avron.b:
34Kb (compressed by UPX)
I-Worm.Avron.b:
33Kb (compressed by UPX)
The worm has bugs in its code and fails to spread under some system conditions.
Installing
While installing the worm copies itself to Windows system directory with the random name, for example:
2dadd52doc.ex
ef23h672.exe


and registers that file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
I-Worm.Avron.a:
Mortimer = %worm file name%
I-Worm.Avron.b, I-Worm.Avron.c:
Avril Lavigne - Muse = %worm file name%

Spreading: E-Mail
The worm looks for victim emails in WAB database, as well as looks for files with following extensions and gets email-like strings from there:
.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML

To send infected emails the worm connects to default SMTP server.
The infected messages have:
"From" field has real sender's address, it is one of real email addresses found on the computer (see above), or randomly selected from the list:
IIS Exchange Board
IREX/ORG
RART Team
Stimon online
Rudolf Ginsberg
Avril Lavigne
ACTR/Accels

"Subject" is randomly selected from the variants:
I-Worm.Avron.a:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions

I-Worm.Avron.b:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purges Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - dont miss it!
Fwd: RFC-0245 Specification requestedall
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?

I-Worm.Avron.c:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

The message "Body" is HTML format and is randomly selected from variants:
I-Worm.Avron.a:
Body1:
EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing

Body2:
Restricted area response team (RART)

Attachment you sent to %random worm% is really good :-)
Well done!

SMTP session error #450: service not ready

Body3:
>See this in attached files
>>New PICS of Avril Lavigne!!!
>>It is honourable when you do it!!!

I-Worm.Avron.b:
Body1:
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so Patch is also provided to subscribed list of Microsoft Tech
Support:
Patch :
Date :

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Body4:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

I-Worm.Avron.c:
Body1:
Microsoft has identified a security vulnerability in Microsoft IIS 4.0
and 5.0 that is eliminated by a previously-released patch. Customers who
have applied that patch are already protected against the vulnerability and
do not need to take additional action. to apply the patch immediately.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so
Patch is also provided to subscribed list of Microsoft® Tech Support:

Body2:
Restricted area response team (RART) Attachment you sent to %s is intended
to overwrite start address at 0000:HH4F To prevent from the further buffer
overflow attacks apply the MSO-patch

Body3:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you! Admission form attached
below

Attached file name is randomly selected from the list:
I-Worm.Avron.a:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe

I-Worm.Avron.b:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe

I-Worm.Avron.c:
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe

While spreading the worm creates temporary "NewBoot.sys" file in Temp directory.
The worm also creates "listrecp.dll" in Windows directory and writes the list of victim emails to there.
The worm randomly uses "IFrame" security breach to run automatically from infected messages. In rest of cases the infected messages are "pure" HTML messages without "IFrame" tag.
Spreading: Network
The worm copies itself with random names to RECYCLED directory on all available logical drives (including shared network drives). If there is no RECYCLED directory, the worm copies itself to the root drives.
To run on an affected machine the worm adds a command to "autoexec.bat" file on the same drive.
Spreading: ICQ and IRC
The "b" and "c" variants of the worm searches for the "ICQMapi.dll" library and tries to send their copies to the recipients of the ICQ Contact List. They also create the "script.ini" file in the mIRC directory, so that their copies are sent to the IRC channels the user connects to.
Spreading: Kazaa
The "b" and "c" variants of the worm copy themselves to the Kazaa shared directory with a random name.
Password Stealing Routine
This routine enumerates cached passwords and sends them to the "otto_psws@pochta.ws" email address with the "Password Got" subject.
Payload
On 7th and 24th of any month the worm starts a routine that randomly moves the mouse cursor on the screen, and then opens the Web page:
http://www.avril-lavigne.com
The "b" and "c" modifications of the worm execute the same payload on the 11th day of any month, too.
Other
The worm also starts a routine that permanently looks for anti-virus and firewalls active processes, and tries to terminate them.
The worm creates a text file with random name and .TXT extension in Temp directory and writes following text to there:
I-Worm.Avron.a:
Author ------> 2002 (c) Otto von Gutenberg
Made in -----> Almaty .::]Kazakhstan[::. (:;)--:>
Purpose -----> Only Educational
Virus name --> AVRIL (please do not change it)

[ATTENTION]
The author has no response of the damages
caused by AVRIL.

[DESCRIPTION]
For my lovely Avril Lavigne dedicated.
She lives in Canada and she's beautiful.
This is for AV companies:
Why? Why? Why don't you update your KB (knowledge bases)
on my serial and yet serious masterpieces?!
I guess that of AVRIL will get you thought of it.
NO DESTRUCTIVE ACTION!

[ACKNOWLEDGEMENT]
Antoher V0X & Hacker Group from Central Asia
Thanx to Rage, Razum and V-HiV; coderz.net, indovirus.net, securitylab.ru etc.

Thank you for ideas approach to us!!!
Bye

I-Worm.Avron.b:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included

P.S.> How is my work?

Cheerz, Otto (www.otto-koden.h1.ru)

I-Worm.Avron.c:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru) and Weisses Fleisch Project (http://wf.h1.ru)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

I-Worm.BadAss

Description I-Worm.BadAss

This is a virus-worm that spreads via the Internet using MS Outlook. The worm itself is a Windows EXE file about 25Kb in length, and written in VisualBasic. The worm seems to be based on the "Melissa" macro-virus worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source.
The worm is transferred via the net in e-mail messages with an infected attachment. The original attachment has the BADASS.EXE name, but it is possible to rename the EXE file manually, and it then will spread with a new name.
When an infected message is received and the attached EXE file is executed, the worm gains control and starts its main routine. This routine displays message boxes, then run the infection routine that opens the Outlook database, obtains e-mail addresses from the Address Book and sends infected messages to the addresses found. The subject in the infected messages contains the text "Moguh.." and the message text is "Dit is wel grappig! :-)".

The first message box displayed by the worm appears as follows:
Kernel32
An error has occured probably because your c**t smells
bad. Is this really so?
[ Yes ] [ No ]

Upon the mouse cursor moving to the [No] button, the worm moves this button another place to the left [Yes], and return it back when the mouse cursor moves near to button, and so on until clicking [Yes]:
[ Yes ] [ No ]
[ No ] [ Yes ]
[ Yes ] [ No ]

So the worm does not allow one to click the [No] button. When the [Yes] button is pressed, the worm displays another message and runs its infection routine:
WIN32
Contact your local supermarket for toiletpaper and soap to
solve this problem.
[ OK ]

Home