Description
Win32.HLLM.Avril.1 is a mass-mailing worm written in Microsoft Visual С++ high-level programming language. Infects systems running under Windows 95/98/Me/NT/2000/XP. The worm is packed with UPX packer, its packed size is 32,766 bytes.
To spread the worm makes use of e-mail, the addresses found by the worm in files with DBX, EML, IDX, HTML,HTM, MBX, NCH, TBB, SHTML, WAB extensions, shared drives of the local network, IRC, ICQ and peer-to-peer KaZaA network.
The worm does not check if the addresses found in files with the above mentioned extensions are address is valid, that is why in the process of its mass-mailing Win32.HLLM.Avril.1 uses any combinations like this: xxxx@xxxxx. It stores the retrieved addresses in file listrecp.dll placed to Windows folder.
To penetrate a system the worm exploits a long known incorrect MIME header vulnerability which allows a program file (containing a virus program) to automatically run even at an email previewing in such clients as MS Outlook and MS Outlook Express (versions 5.01 and 5.5).
Spreading
For e-mail propagation the worm makes use of its own SMTP engine. It retrieves an information on SMTP server of the affected machine from the following registry entries:
HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\......\\SMTP Server
HKCU\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts\\.....\\SMTP Server
The mail message sent by the worm looks as follows:
Subject: always begins with RE: or FW:, thus making impressions the message is an answer to the letter sent from the infected machine or it has been forwarded and can be one of the following:
Fw: Prohibited customers... Re: Brigade Ocho Free membership Re: According to Daos Summit Fw: Avril Lavigne - the best Re: Reply on account for IIS-Security Re: ACTR/ACCELS Transcriptions Re: The real estate plunger Fwd: Re: Admission procedure Re: Reply on account for IFRAME-Security breach Fwd: Re: Reply on account for Incorrect MIME-headerThe message body: there are several variants of the text in the worm`s body forming the infected message.
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I\'m with you! Admission form attached below
(then follows the address analogues to the address in the FROM: field)
is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
IAmWiThYoU.exe AvrilSmiles.exe AvrilLavigne.exe Complicated.exe Cogito_Ergo_Sum.exe CERT-Vuln-Info.exe Download.exe MSO-Patch-0071.exe MSO-Patch-0035.exe Readme.exe Resume.exe Sk8erBoi.exe Singles.exe Sophos.exe Two-Up-Secretly.exe Transcripts.exeTo spread via shared drives the worm drops its copy to the Windows\\Recycled folder in the form of the randomly named file with .EXE extension. It modifies the file AUTOEXEC.BAT of such shared drive to secure its automatic execution at every Windows start-up:
To propagate via mIRC it drops a modified file SCRIPT.INI to mIRC folder. As a result after the connection to IRC server of the infected machine is established a forced connection to #avrillavigne channel takes place and the worm starts sending its viral copies to all users connected to this channel.
To propagate via ICQ the worm searcehs for ICQ folder in the registry entry
HKEY_LOCAL_MACHINE\\Microsoft\\Windows\\CurrentVersion\\
App Paths\\ICQ.EXE\\
and, if found, it copies the file ICQMAPI.DLL to the %System% folder. After that it starts sending itself to all contacts contained in local ICQ folder of the infected machine.
To propagate via KaZaA network in the registry entry
HKEY_CURRENT_USER\\Software\\KaZaA\\Transfer\\DlDir0
the worm searches for the KaZaA folder and then copies itself to it in the form of the randomly named file with .EXE extension; after that it becomes accessible for all peer-to-peer network users.
Action
When run the worm copies itself to the Windows\\System folder (in Windows 9x and Windows ME it is C:\\Windows\\System, in Windows NT/2000 it is C:\\WINNT\\System32, in Windows XP it is C:\\Windows\\System32) as an executable file with .EXE extension and with the name generated by the worm of 11 symbols. To secure its automatic execution the worm modifies the registry entry
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\
Run\\Avril Lavigne - Muse =
It also drops two more copies of itself to the Windows\\Temp folder. The first file` s name will be analogues to that the worm arrived to the victim computer, the second one will have .TFT extension and no fixed name.
The worm also places a simple text file named avril_ii.inf to the same folder in the which there are the following strings:
Avril-II Made in .::]|KaZAkHstaN|[::. 2002 (c) Otto von GutenbergThe worm makes attempts to terminate certain anti-virus and security related programs:
_AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPMON.EXE AVPNT.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIND.EXE CLAW95.EXE CLAW95CT.EXE CLEANER.EXE CLEANER3.EXE DV95.EXE DV95_O.EXE DVP95.EXE ECENGINE.EXE EFINET32.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FINDVIRU.EXE FP-WIN.EXE FPROT.EXE FRW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMOON.EXE ICSSUPPNT.EXE ICSUPP95.EXE IFACE.EXE IOMON98.EXE JED.EXE KPF.EXE KPFW32.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE N32SCAN.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVSCHED.EXE NAVW.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PCCWIN98.EXE PCFWALLICON.EXE PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE VET95.EXE VETTRAY.EXE VSECOMR.EXE VSHWIN32.EXE VSSCAN40.EXE VSSTAT.EXE WEBSCAN.EXE WEBSCANX.EXE WFINDV32.EXE ZONEALARM.EXEOn the 7th, 11th and 24th of any month the worm opens the web-page http://www.avril-lavigne.com and displays colourful graphics on the Active Desktop.
The worm can steal passwords from users` files (*.PWL) to send them in future to a certain e-mail address.