Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Lirva.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Disrupts antivirus software
Detection files published 06 Jan 2003 03:00:00
Description created 07 Jan 2003 01:39:00
Description updated 26 Feb 2003 03:42:00
Malware type WORM
Alias W32/Naith.A
WORM_LIRVA.A
W32/Avril.A
Spreading mechanism EMAIL
IRC
NETWORK
OTHER
Summary None

W32/Lirva.A@mm

Spreading

The subject of the email varies according to the list below:Fw: Prohibited customersRe: Brigade Ocho Free membershipRe: According to Daos SummitFw: Avril Lavigne - the bestRe: Reply on account for IIS-SecurityRe: ACTR/ACCELS TranscriptionsRe: The real estate plungerFwd: Re: Admission procedureRe: Reply on account for IFRAME-Security breachFwd: Re:Reply on account for Incorrect MIME-headerThe attachment name varies according to the list below:Resume.exeDownload.exeMSO-Patch-0071.exeMSO-Patch-0035.exeTwo-Up-Secretly.exeTranscripts.exeReadme.exeAvrilSmiles.exeAvrilLavigne.exeComplicated.exeSingles.exeSophos.exeCogito_Ergo_Sum.exeCERT-Vuln-Info.exeSk8erBoi.exeIAmWiThYoU.exeMail body is also variable, put together from a few options.When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.aspThe security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.

Payload Details

The worm enumerates and kills processes belonging to these programs:KPF.EXEKPFW32.EXE_AVPM.EXEAUTODOWN.EXEAVKSERV.EXEAVPUPD.EXEBLACKD.EXECFIND.EXECLEANER.EXEECENGINE.EXEF-PROT.EXEFP-WIN.EXEIAMSERV.EXEICLOADNT.EXEIFACE.EXELOOKOUT.EXEN32SCAN.EXENAVW32.EXENORMIST.EXEPADMIN.EXEPCCWIN98.EXERAV7WIN.EXESCAN95.EXESMC.EXETCA.EXEVETTRAY.EXEVSSTAT.EXEACKWIN32.EXEAVCONSOL.EXEAVPNT.EXEAVPDOS32.EXEAVSCHED32.EXEBLACKICE.EXEEFINET32.EXECLEANER3.EXEESAFE.EXEF-PROT95.EXEFPROT.EXEIBMASN.EXEICMOON.EXEIOMON98.EXELUALL.EXENAVAPW32.EXENAVWNT.EXENUPGRADE.EXEPAVCL.EXEPCFWALLICON.EXERESCUE.EXESCANPM.EXESPHINX.EXETDS2-98.EXEVSSCAN40.EXEWEBSCANX.EXEWEBSCAN.EXEANTI-TROJAN.EXEAVE32.EXEAVP.EXEAVPM.EXEAVWIN95.EXECFIADMIN.EXECLAW95.EXEDVP95.EXEESPWATCH.EXEF-STOPW.EXEFRW.EXEIBMAVSP.EXEICSUPP95.EXEJED.EXEMOOLIVE.EXENAVLU32.EXENISUM.EXENVC95.EXENAVSCHED.EXEPERSFW.EXESAFEWEB.EXESCRSCAN.EXESWEEP95.EXETDS2-NT.EXEVSECOMR.EXEWFINDV32.EXEAVPCC.EXE_AVPCC.EXEAPVXDWIN.EXEAVGCTRL.EXE_AVP32.EXEAVPTC32.EXEAVWUPD32.EXECFIAUDIT.EXECLAW95CT.EXEDV95_O.EXEDV95.EXEF-AGNT95.EXEFINDVIRU.EXEIAMAPP.EXEICLOAD95.EXEICSSUPPNT.EXELOCKDOWN2000.EXEMPFTRAY.EXENAVNT.EXENMAIN.EXEOUTPOST.EXENAVW.EXERAV7.EXESCAN32.EXESERV95.EXETBSCAN.EXEVET95.EXEVSHWIN32.EXEZONEALARM.EXEAVPMON.EXEAVP32.EXEIn addition, the worm will find the cached passwords on the infected computer and attempt to email these to the author.The worm will, depending on date, open a web browser to www.avril-lavigne.com, and then display a graphical effect:

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14