F-Secure Virus Descriptions : Lirva
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Lirva is a mass-mailing worm that uses several methods to spread.
Beside email the worm uses ICQ, Kazaa, mIRC and tries to spread
through open shares and Windows network drives. Lirva also has
functionality to disable several antivirus and security
applications if it notices their presence. If the worm is active
in the system it tries to steal passwords and send them to an
external email address.
Technical details
The worm body is compressed with the UPX executable compressor.
The unpacked size of the body is around 100 kilobytes and was
written in C++ programming language.
Email spreading
Email addresses are collected from files with the following
extensions:
.DBX .MBX .WAB .HTML .EML .HTM .TBB .SHTML .NCH .IDX
The email is formatted as HTML and contains an exploit for the IFRAME
vulnerability that causes Internet Explorer to auto-execute the attacment.
To fix the IFRAME vulnerability, download the patch from
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
The infected emails are constructed from randomly chosen parts as
follows.
Subjects:
'Fw: Prohibited customers...'
'Re: Brigade Ocho Free membership'
'Re: According to Daos Summit'
'Fw: Avril Lavigne - the best'
'Re: Reply on account for IIS-Security'
'Re: ACTR/ACCELS Transcriptions'
'Re: The real estate plunger'
'Fwd: Re: Admission procedure'
'Re: Reply on account for IFRAME-Security breach'
'Fwd: Re: Reply on account for Incorrect MIME-header'
Bodies:
'Restricted area response team (RART)
Attachment you sent to %s is intended to overwrite start address at 0000:HH4F%s
To prevent from the further buffer overflow attacks apply the MSO-patch %s'
or
'Avril fans subscription
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I'm with you!
Admission form attached below'
or
'Microsoft has identified a security vulnerability in Microsoft(r); IIS 4.0
and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the
vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not
already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft(r) Tech Support:'
Infected attachment names:
'Resume.exe'
'Download.exe'
'MSO-Patch-0071.exe'
'MSO-Patch-0035.exe'
'Two-Up-Secretly.exe'
'Transcripts.exe'
'Readme.exe'
'AvrilSmiles.exe'
'AvrilLavigne.exe'
'Complicated.exe'
'Singles.exe'
'Sophos.exe'
'Cogito_Ergo_Sum.exe'
'CERT-Vuln-Info.exe'
'Sk8erBoi.exe'
'IAmWiThYoU.exe'
Local Area Network spreading
Lirva browses through all Windows drives and network shares available to
the infected computer. The worm tries to copy itself to the 'recycled'
directory on the remote share or drive with a random name. If the copy
operation fails it tries to copy the itself to the root of the remote
share. If either of these succeeds it adds an extra line to
'autoexec.bat' on the remote drive:
'@win \recycled\[random_name].exe'
or
'@win [random_name].exe'
If the remote system is Windows 95/98/Me the worm will be started next
the time when the system starts. Windows NT, 2000 and XP systems are not
affected by this attack.
Spreading through Peer-to-peer network
If Lirva finds a Kazaa client on the infected computer it copies itself
to the folder that is shared to other users through Kazaa. As filename
it uses a random name chosen from the same set of names as for the
email attachment name (see above). Using these catchy names the worm
has a chance of fooling someone to download and execute the worm from
the infected computer.
Spreading using Internet Relay Chat
In case a mIRC (popular Windows IRC client) is found on the computer
the Lirva modifies the configuration. The modification makes the client to offer
the worm for download for any user that joins the current chat channel.
This way an unsuspecting user might download and execute the worm and
get infected.
The other part of the config modification makes the client to
join the IRC channel '#avrillavigne'.
Spreading through ICQ network
When initialising, the Lirva tries to locate a file called 'ICQMAPI.DLL'
in the ICQ installation directory. If it's available it copies it to
the Windows System Directory and loads the DLL. This DLL provides access
to the ICQ client. If the worm can establish a connection with ICQ it
goes through all the active contacts in the user's contact list and tries
to send itself to all of them. As filename it picks one from the same list
above as with email spreading.
System infection
The worm copies itself to the Windows System Directory and adds that
copy to the registry under
'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Avril Lavigne - Muse'
so it will be started when Windows starts.
Several other values are added to the registry under
'HKLM\Software\OvG\Avril Lavigne'
that store internal data for the worm.
Password stealing
Lirva has functionality for stealing passwords. If the computer is connected
to the Internet the worm collects all the cached Windows passwords. These
passwords are sent to an external email address. Lirva has two hardcoded email
addresses and choses one randomly.
Security software deactivation
After Lirva infected the system it tries to terminate several antivirus and
security products. The worm periodically checks for the presence of the
following processes and terminates them if they are running:
'AVP32.EXE'
'AVPMON.EXE'
'ZONEALARM.EXE'
'VSHWIN32.EXE'
'VET95.EXE'
'TBSCAN.EXE'
'SERV95.EXE'
'SCAN32.EXE'
'RAV7.EXE'
'NAVW.EXE'
'OUTPOST.EXE'
'NMAIN.EXE'
'NAVNT.EXE'
'MPFTRAY.EXE'
'LOCKDOWN2000.EXE'
'ICSSUPPNT.EXE'
'ICLOAD95.EXE'
'IAMAPP.EXE'
'FINDVIRU.EXE'
'F-AGNT95.EXE'
'DV95.EXE'
'DV95_O.EXE'
'CLAW95CT.EXE'
'CFIAUDIT.EXE'
'AVWUPD32.EXE'
'AVPTC32.EXE'
'_AVP32.EXE'
'AVGCTRL.EXE'
'APVXDWIN.EXE'
'_AVPCC.EXE'
'AVPCC.EXE'
'WFINDV32.EXE'
'VSECOMR.EXE'
'TDS2-NT.EXE'
'SWEEP95.EXE'
'SCRSCAN.EXE'
'SAFEWEB.EXE'
'PERSFW.EXE'
'NAVSCHED.EXE'
'NVC95.EXE'
'NISUM.EXE'
'NAVLU32.EXE'
'MOOLIVE.EXE'
'JED.EXE'
'ICSUPP95.EXE'
'IBMAVSP.EXE'
'FRW.EXE'
'F-STOPW.EXE'
'ESPWATCH.EXE'
'DVP95.EXE'
'CLAW95.EXE'
'CFIADMIN.EXE'
'AVWIN95.EXE'
'AVPM.EXE'
'AVP.EXE'
'AVE32.EXE'
'ANTI-TROJAN.EXE'
'WEBSCAN.EXE'
'WEBSCANX.EXE'
'VSSCAN40.EXE'
'TDS2-98.EXE'
'SPHINX.EXE'
'SCANPM.EXE'
'RESCUE.EXE'
'PCFWALLICON.EXE'
'PAVCL.EXE'
'NUPGRADE.EXE'
'NAVWNT.EXE'
'NAVAPW32.EXE'
'LUALL.EXE'
'IOMON98.EXE'
'ICMOON.EXE'
'IBMASN.EXE'
'FPROT.EXE'
'F-PROT95.EXE'
'ESAFE.EXE'
'CLEANER3.EXE'
'EFINET32.EXE'
'BLACKICE.EXE'
'AVSCHED32.EXE'
'AVPDOS32.EXE'
'AVPNT.EXE'
'AVCONSOL.EXE'
'ACKWIN32.EXE'
'VSSTAT.EXE'
'VETTRAY.EXE'
'TCA.EXE'
'SMC.EXE'
'SCAN95.EXE'
'RAV7WIN.EXE'
'PCCWIN98.EXE'
'PADMIN.EXE'
'NORMIST.EXE'
'NAVW32.EXE'
'N32SCAN.EXE'
'LOOKOUT.EXE'
'IFACE.EXE'
'ICLOADNT.EXE'
'IAMSERV.EXE'
'FP-WIN.EXE'
'F-PROT.EXE'
'ECENGINE.EXE'
'CLEANER.EXE'
'CFIND.EXE'
'BLACKD.EXE'
'AVPUPD.EXE'
'AVKSERV.EXE'
'AUTODOWN.EXE'
'_AVPM.EXE'
'AVPM.EXE'
'KPFW32.EXE'
'KPF.EXE'
Payload
If the day of the month is 7, 11 or 24 the worm opens
www.avril-lavigne.com in a webbrowser and displays a graphical
effect on the screen:
It is not a direct payload but due to a programming error the worm
occupies too much processor power. In some cases this renders the
infected computer slow.
Removal
F-Secure Anti-Virus with the latest updates can detect and remove
this worm from an infected system.
Disinfection Tool
F-Secure provides the special disinfection tool to clean infected
computers from Lirva worm. The tool is called LirvTool and it
can be downloaded from our ftp site:
ftp://ftp.europe.f-secure.com/anti-virus/tools/lirvtool.zip
Step-by-step removal instructions can be found here (the
instructions are also included into the above mentioned ZIP
archive together with the tool):
ftp://ftp.europe.f-secure.com/anti-virus/tools/lirvtool.txt
Detection
Detection in F-Secure Anti-Virus was published on January 8th,
2003 in update:
Version=2003-01-08_02
[Analysis: Gergely Erdelyi; F-Secure Corp.; January 7-8th, 2003]
|
![](/images/pixel.gif"){kind=tracking}
