W32.Lirva.A@mm
E’ un mass-mailing worm, ma la sua diffusione può avvenire anche attraverso programmi tipo IRC, ICQ, KaZaA,è considerato dalla Sarc molto pericoloso classificandolo a livello3, non è distruttivo, la grandezza dell’allegato è di 32,766 Bytes (UPX compressed) e di 105,984 Bytes (Uncompressed), nei giorni 7, 11, 24 di ogni mese si connette al sito ***avril-lavigne.*** dove al centro della pagina vi è un display ellittico colorato con la scritta: AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg, seguito da un’altra scritta: Avril-II
Made in .::]|KaZAkHstaN|[::.2002 (c) Otto von Gutenberg. E’ scritto in Visual C++.
Infetta i sistemi operativi Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, ed è conosciuto anche come W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend].
L’Oggetto della mail può essere:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Il testo:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support:
Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
L’allegato:
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Se eseguito cerca di inibire Antivirus e Firewall cercando di terminare questi processi:
· _AVP32.EXE
· _AVPCC.EXE
· _AVPM.EXE
· ACKWIN32.EXE
· ANTI-TROJAN.EXE
· APVXDWIN.EXE
· AUTODOWN.EXE
· AVCONSOL.EXE
· AVE32.EXE
· AVGCTRL.EXE
· AVKSERV.EXE
· AVP.EXE
· AVP32.EXE
· AVPCC.EXE
· AVPDOS32.EXE
· AVPM.EXE
· AVPMON.EXE
· AVPNT.EXE
· AVPTC32.EXE
· AVPUPD.EXE
· AVSCHED32.EXE
· AVWIN95.EXE
· AVWUPD32.EXE
· BLACKD.EXE
· BLACKICE.EXE
· CFIADMIN.EXE
· CFIAUDIT.EXE
· CFIND.EXE
· CLAW95.EXE
· CLAW95CT.EXE
· CLEANER.EXE
· CLEANER3.EXE
· DV95.EXE
· DV95_O.EXE
· DVP95.EXE
· ECENGINE.EXE
· EFINET32.EXE
· ESAFE.EXE
· ESPWATCH.EXE
· F-AGNT95.EXE
· FINDVIRU.EXE
· FPROT.EXE
· F-PROT.EXE
· F-PROT95.EXE
· FP-WIN.EXE
· FRW.EXE
· F-STOPW.EXE
· IAMAPP.EXE
· IAMSERV.EXE
· IBMASN.EXE
· IBMAVSP.EXE
· ICLOAD95.EXE
· ICLOADNT.EXE
· ICMOON.EXE
· ICSSUPPNT.EXE
· ICSUPP95.EXE
· IFACE.EXE
· IOMON98.EXE
· JED.EXE
· KPF.EXE
· KPFW32.EXE
· LOCKDOWN2000.EXE
· LOOKOUT.EXE
· LUALL.EXE
· MOOLIVE.EXE
· MPFTRAY.EXE
· N32SCAN.EXE
· NAVAPW32.EXE
· NAVLU32.EXE
· NAVNT.EXE
· NAVSCHED.EXE
· NAVW.EXE
· NAVW32.EXE
· NAVWNT.EXE
· NISUM.EXE
· NMAIN.EXE
· NORMIST.EXE
· NUPGRADE.EXE
· NVC95.EXE
· OUTPOST.EXE
· PADMIN.EXE
· PAVCL.EXE
· PCCWIN98.EXE
· PCFWALLICON.EXE
· PERSFW.EXE
· RAV7.EXE
· RAV7WIN.EXE
· RESCUE.EXE
· SAFEWEB.EXE
· SCAN32.EXE
· SCAN95.EXE
· SCANPM.EXE
· SCRSCAN.EXE
· SERV95.EXE
· SMC.EXE
· SPHINX.EXE
· SWEEP95.EXE
· TBSCAN.EXE
· TCA.EXE
· TDS2-98.EXE
· TDS2-NT.EXE
· VET95.EXE
· VETTRAY.EXE
· VSECOMR.EXE
· VSHWIN32.EXE
· VSSCAN40.EXE
· VSSTAT.EXE
· WEBSCAN.EXE
· WEBSCANX.EXE
· WFINDV32.EXE
· ZONEALARM.EXE
Inoltre termina tutti i processi che hanno riferimenti con
· Norton
· AVP
· Anti
· Virus
· McAfee
· anti
· virus
Soluzione: riavviare in modalità provvisoria, aprire la Task Manager con CTRL+ALT+CANC (in 9x/ME), CTRL+SHIFT+ESC (in NT/2000/XP) e terminare i processi riconducibili al worm. Da Start>Esegui> “regedit” eliminare Avril Lavigne – Muse dalla chiave HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run cercare lo stesso valore in C.\Windows\System e OvG da HKEY_LOCAL_MACHINE>Software. Cancellare tutti i Files dalla cartella TEMP, i Temporary internet files ed i Cookies. Fare una scansione approfondita con l’AV aggiornato.
Marco(amvinfe)
E’ una variante di W32.Lirva.A@mm , il livello di pericolosità è medio\alto (2), la differenza sostanziale con la precedente variante è quella di connettersi (se infetta un Pc) a tre diversi siti per scaricare una Backdoor (****://***.***.kz/avril_lavigne/Bo2k_upx.exe ****://***.***.kz/avril/Bo2k_upx.exe ****://***.***.kz/avril_ii/Bo2k_upx.exe). Dopo aver scaricato la Backdoor copia in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run il valore SocketListener.
L’Oggetto della mail cambia rispetto la prima variante in:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
Ed il testo presente nella mail può essere uno di questi:
Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date
Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Avril fans subscription FanList admits you to take in Avril vigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!
AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list .>.>
Orginal Message
Viene allegato uno dei seguenti files:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
<random>.TXT
<random>.DOC
Soluzione: riavviare in modalità provvisoria, aprire la Task Manager con CTRL+ALT+CANC (in 9x/ME), CTRL+SHIFT+ESC (in NT/2000/XP) e terminare i processi riconducibili al worm. In HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Curr entVersion>Run eliminare il valore Avril Lavigne – Muse, cercare lo stesso valore in C.\Windows\System. Eliminare il valore SocketListener da HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Curr entVersion>Run, eliminare OvG da HKEY_LOCAL_MACHINE>Software. Cancellare tutti i Files dalla cartella TEMP, i Temporary internet files ed i Cookies. Fare una scansione completa con l’AV aggiornato.
Marco(amvinfe)
Rispondi quotando
