Win32/Lirva.A, .C (Naith, Avril)

Win32/Naith.A (znßm² tΘ₧ pod jmΘny Avril Φi Lirva) je Internetov²m wormem, kter² po spuÜt∞nφ uklßdß sebe sama do adresß°e Windows pod nßhodn²m jmΘnem a pak p°idß do registry klφΦ, kter² zaruΦuje jeho spuÜt∞nφ p°i ka₧dΘm startu systΘmu Windows:

HKLM / Software / Microsoft / Windows / CurrentVersion / Run / Avril Lavigne - Muse

Win32/Naith posφlß sebe sama na vÜechny adresy, kterΘ nalezne v souborech typu DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH a IDX. Zprßva mß nßsledujφcφ charakteristiku:

Subject: jeden z nßsledujφcφch text∙:

Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger

T∞lo zprßvy: jedna ze t°φ nßsledujφch mo₧nostφ:

  • "Avril fans subscription
    FanList admits you to take in Avril Lavigne 2003
    Billboard awards ceremony
    Vote for I'm with you!
    Admission form attached below"

  • "Restricted area response team (RART)
    Attachment you sent to is intended to overwrite
    start address at 0000:HH4F
    To prevent from the further buffer overflow attacks
    apply the MSO-patch"

  • "Microsoft has identified a security vulnerability in
    Microsoft« IIS 4.0 and 5.0
    that is eliminated by a previously-released patch.
    Customers who have applied that patch are already protected
    and do not need to take additional action.
    Microsoft strongly urges all customers using IIS 4.0 and 5.0
    who have not already done so to apply the patch immediately.
    Patch is also provided to subscribed list of Microsoft«Tech Support:"

    P°ipojen² soubor m∙₧e mφt jedno z nßsledujφch jmen:

    AvrilLavigne.exe
    AvrilSmiles.exe
    CERT-Vuln-Info.exe
    Cogito_Ergo_Sum.exe
    Complicated.exe
    Download.exe
    IAmWiThYoU.exe
    MSO-Patch-0035.exe
    MSO-Patch-0071.exe
    Readme.exe
    Resume.exe
    Singles.exe
    Sk8erBoi.exe
    Sophos.exe
    Transcripts.exe
    Two-Up-Secretly.exe

    Worm vyu₧φvß znßmou bezpeΦnostnφ dφru v programech Microsoft Internet Explorer, Outlook a Outlook Express, dφky kterΘ je spuÜt∞n ji₧ p°i pouhΘm prohlφ₧enφ zprßvy. Je takΘ schopen se Üφ°it po lokßlnφ sφti: pokud mu to nastavenφ dovolφ, zkopφruje sebe sama pod nßhodn²m jmenem na vzdßlen² sdφlen² disk do ko°enovΘho adresß°e nebo do adresß°e RECYCLED. Pak p°idß do souboru autoexec.bat °ßdek (nap°. "@win \RECYCLED\randomname.exe"), a tak m∙₧e b²t spuÜt∞n p°i p°φÜtφm startu vzdßlenΘho poΦφtaΦe. Je tΘ₧ schopen posφlat sebe sama u₧ivatel∙m program∙ ICQ a mIRC.

    Worm takΘ vytvß°φ nßsledujφcφ klφΦe v registry: 

    HKLM\Software\OvG\Avril Lavigne=Done 
HKLM\Software\OvG\Avril Lavigne\PSW-Trojan=1

    Worm se tΘ₧ m∙₧e zkopφrovat do adresß°e programu KaZaA a v doΦasnΘm adresß°i vytvo°it soubor avril-ii.inf. Sna₧φ se takΘ ukonΦit °adu znßm²ch antivirov²ch program∙ a navφc roztrousφ n∞kolik kopiφ sebe sama po celΘm disku pod nßhodn²m jmΘnem.

    Pokud je systΘmovΘ datum nastaveno na 7., 11. Φi 24. den v libovolnΘm m∞sφci, Win32/Naith otev°e v programu Internet Explorer domßcφ strßnku skater-punkovΘ skupiny Avril Lavigne a zobrazφ barevnΘ elipsy a text "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg".

    Worm je schopen sbφrat hesla, ulo₧enß na danΘm poΦφtaΦi, a posφlat je na jednu ruskou adresu elektronickΘ poÜty.

    Varianta C

    LiÜφ se p°edevÜφm v textech p°edm∞tu, t∞la a v nßzvech p°φloh.

    P°edm∞ty:

    Fw: Redirection error notification
    Re: Brigada Ocho Free membership
    Re: According to Purge's Statement
    Fw: Avril Lavigne - CHART ATTACK!
    Re: Reply on account for IIS-Security Breach
    (TFTP)
    Re: ACTR/ACCELS Transcriptions
    Re: IREX admits you to take in FSAU 2003
    Fwd: Re: Have U requested Avril Lavigne bio?
    Re: Reply on account for IFRAME-Security breach
    Fwd: Re: Reply on account for Incorrect MIME-header
    Re: Vote seniors masters - don't miss it!
    Fwd: RFC-0245 Specification requested...
    Fwd: RFC-0841 Specification requested...
    Fw: F. M. Dostoyevsky "Crime and Punishment"
    Re: Junior Achievement
    Re: Ha perduto qualque cosa signora?

    T∞la zprßv (6 verzφ):

  • Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date
  • Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
  • Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
  • Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!
  • AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list
  • Orginal Message

    P°φlohy:

    Resume.exe
    ADialer.exe
    MSO-Patch-0071.exe
    MSO-Patch-0035.exe
    Two-Up-Secretly.exe
    Transcripts.exe
    Readme.exe
    AvrilSmiles.exe
    AvrilLavigne.exe
    Complicated.exe
    TrickerTape.exe
    Singles.exe
    Sophos.exe
    Cogito_Ergo_Sum.exe
    CERT-Vuln-Info.exe
    Sk8erBoi.exe
    IAmWiThYoU.exe
    Phantom.exe
    EntradoDePer.exe
    SiamoDiTe.exe
    BioData.exe
    ALavigne.exe
    {nßhodnΘ}.TXT
    {nßhodnΘ}.DOC


    Zdroj: Alwil software - v²robce antiviru AVAST


    		•

    Jedno·Φelov² antivirus:

    Win32/Lirva.A, .C (Win32/Naith, Win32/Avril)
  • Popis/pou₧itφ: Z Windows.

    		•

    N∞kolik dobr²ch rad:

    P°ed pou₧itφm jedno·Φelov²ch antivir∙ je vhodnΘ vypnout stßvajφcφ antivirov² systΘm a to p°edevÜφm on-access skener (Φasto oznaΦovßn jako rezidentnφ Ütφt).

    Pokud jde o hojn∞ pou₧φvan² antivirus AVG 6.0, pak se onen rezidentnφ Ütφt vypφnß zaÜkrtßvacφ volbou v jednΘ ze zßlo₧ek AVG Control Center (ikonka na liÜt∞ vpravo dole). ╚ty°barevnß ikonka by m∞la zeÜednout.

    Ve Windows XP a ME je taktΘ₧ vhodnΘ vypnout funkci OBNOVA SYST╔MU (RESTORE SYSTEM), kterß by pozd∞ji brßnila smazßnφ infikovan²ch soubor∙, kterΘ "uvφzly" v adresß°φch _RESTORE (Windows ME) nebo SYSTEM INFORMATION VOLUME (Windows XP).

    Postup pro Windows ME:

  • Klikn∞te prav²m tlaΦφtkem myÜi na ikonu TENTO PO╚═TA╚ (MY COMPUTER) a zvolte z nabφdky VLASTNOSTI (PROPERTIES).
  • P°epn∞te se do zßlo₧ky V▌KON (PERFORMANCE) a stiskn∞te tlaΦφtko SOUBOROV▌ SYST╔M (FILE SYSTEM).
  • Zde se p°esu≥te na zßlo₧ku P╪I POT═Ä═CH (TROUBLESHOOTING) a zaÜkrtn∞te poslednφ volbu - ZAK┴ZAT OBNOVU SYST╔MU (DISABLE SYSTEM RESTORE).
  • VÜe potvr∩te tlaΦφtkem OK, Windows se restartuje.

    Postup pro Windows XP:

  • Klikn∞te prav²m tlaΦφtkem myÜi na ikonu TENTO PO╚═TA╚ (MY COMPUTER).
  • Zvolte VLASTNOSTI (PROPERTIES) a nalistujte zßlo₧ku OBNOVEN═ SYST╔MU (SYSTEM RESTORE).
  • Zatrhn∞te volbu VYPNOUT N┴STROJ OBNOVEN═ SYST╔MU NA VèECH JEDNOTK┴CH.
  • Potvr∩te, Windows provede restart.