Home / malware Win32.Lirva.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Lirva.B@mm is also known as Win32/Naith.C@mm, Win32.HLLM.Avril.2, W32/Lirva.
Explanation :
This is a modified version of Win32.Lirva.A@mm internet worm. It maintains the same functionality but it changes the subjects, the body, and the attachments and it adds some new features.
Subjects:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement'
Re: Ha perduto qualque cosa signora?'
Bodies:
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:
or
Restricted area response team (RART)
Attachment you sent to recipient adress is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
or
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoftâ• IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.
or
AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>
Attachments:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
In this version the worms tries to update itself from the following URLS:
http://web.host.kz/avril_lavigne/
http://web.host.kz/avril/
http://web.host.kz/avril_ii/
and from the same URLS it tries to download a backdoor that will be copied in %SYSTEM%\Bo2k.exe and it adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SocketListener with value %SYSTEM%\Bo2k.exe to ensure that the backdoor will be executed at restart.
The content of the avril-ii.inf has changed:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...
I'm back to the scene with one more gift |Avril-II|
(remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
~Greetz to Brigada Ocho (http://vx.netlux.org/~b8),
Darkside Project(http://darkside.dtn.ru)
and Weisses Fleisch Project (http://wf.h1.ru)
~Greetz to Rocco (http://primatelost.net)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper included
P.S.> How is my work?
Cheerz, Otto (www.otto-koden.h1.ru)Last update 21 November 2011