Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Lirva.C@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Attempts to disable antivirus and firewall software, and download a backdoor pro
Detection files published 08 Jan 2003 03:00:00
Description created 09 Jan 2003 07:59:00
Description updated 09 Jan 2003 08:26:00
Malware type WORM
Alias I-Worm/Naith.C
I-Worm.Avron.b
Spreading mechanism EMAIL
IRC
NETWORK
OTHER
Summary None

W32/Lirva.C@mm

Spreading

Possible subjects:Fw: Redirection error notificationRe: Brigada Ocho Free membershipRe: According to Purge's StatementFw: Avril Lavigne - CHART ATTACK!Re: Reply on account for IIS-Security Breach (TFTP).Re: ACTR/ACCELS TranscriptionsRe: IREX admits you to take in FSAU 2003Fwd: Re: Have U requested Avril Lavigne bio?Re: Reply on account for IFRAME-Security breachFwd: Re:Reply on account for Incorrect MIME-headerRe: Vote seniors masters - don't miss it!Fwd: RFC-0245 Specification requestedFwd: RFC-0841 Specification requestedFw: F. M. Dostoyevsky "Crime and Punishment"Re: Junior AchievementRe: Ha perduto qualque cosa signora?Possible attachment names:Resume.exeADialer.exeMSO-Patch-0071.exeMSO-Patch-0035.exeTwo-Up-Secretly.exeTranscripts.exeReadme.exeAvrilSmiles.exeAvrilLavigne.exeComplicated.exeTrickerTape.exeSophos.exeCogito_Ergo_Sum.exeCERT-Vuln-Info.exeSk8erBoi.exeIAmWiThYoU.exePhantom.exeEntradoDePer.exeSiamoDiTe.exeBioData.exeALavigne.exeMail body is also variable, put together from a few options.When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.aspThe security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.

Payload Details

The worm attempts to download a backdoor program from free web accounts at web.host.kz in Kazakhstan. Thanks to prompt action from the website owner these pages are now down. In addition, the worm will find the cached passwords on the infected computer and attempt to email these to the author.The worm enumerates and kills processes belonging to these programs:KPF.EXEKPFW32.EXE_AVPM.EXEAUTODOWN.EXEAVKSERV.EXEAVPUPD.EXEBLACKD.EXECFIND.EXECLEANER.EXEECENGINE.EXEF-PROT.EXEFP-WIN.EXEIAMSERV.EXEICLOADNT.EXEIFACE.EXELOOKOUT.EXEN32SCAN.EXENAVW32.EXENORMIST.EXEPADMIN.EXEPCCWIN98.EXERAV7WIN.EXESCAN95.EXESMC.EXETCA.EXEVETTRAY.EXEVSSTAT.EXEACKWIN32.EXEAVCONSOL.EXEAVPNT.EXEAVPDOS32.EXEAVSCHED32.EXEBLACKICE.EXEEFINET32.EXECLEANER3.EXEESAFE.EXEF-PROT95.EXEFPROT.EXEIBMASN.EXEICMOON.EXEIOMON98.EXELUALL.EXENAVAPW32.EXENAVWNT.EXENUPGRADE.EXEPAVCL.EXEPCFWALLICON.EXERESCUE.EXESCANPM.EXESPHINX.EXETDS2-98.EXEVSSCAN40.EXEWEBSCANX.EXEWEBSCAN.EXE.ANTI-TROJAN.EXEAVE32.EXEAVP.EXEAVPM.EXEAVWIN95.EXECFIADMIN.EXECLAW95.EXEDVP95.EXEESPWATCH.EXEF-STOPW.EXEFRW.EXEIBMAVSP.EXEICSUPP95.EXEJED.EXEMOOLIVE.EXENAVLU32.EXENISUM.EXENVC95.EXENAVSCHED.EXEPERSFW.EXESAFEWEB.EXESCRSCAN.EXESWEEP95.EXETDS2-NT.EXEVSECOMR.EXEWFINDV32.EXEAVPCC.EXE_AVPCC.EXEAPVXDWIN.EXEAVGCTRL.EXE_AVP32.EXEAVPTC32.EXEAVWUPD32.EXECFIAUDIT.EXECLAW95CT.EXEDV95_O.EXEDV95.EXEF-AGNT95.EXEFINDVIRU.EXEIAMAPP.EXEICLOAD95.EXEICSSUPPNT.EXELOCKDOWN2000.EXEMPFTRAY.EXENAVNT.EXENMAIN.EXEOUTPOST.EXENAVW.EXERAV7.EXESCAN32.EXESERV95.EXETBSCAN.EXEVET95.EXEVSHWIN32.EXEZONEALARM.EXEAVPMON.EXEAVP32.EXEThe worm will, depending on date (7,11, or 24th), open a web browser to www.avril-lavigne.com, andthen display a graphical effect:

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12