W32/Avril-C is a worm that spreads in local networks (see W32/Avril-A for further information) and on the internet by sending emails to email addresses gathered from DBX, MBX, WAB, HTML, EML, HTM, ASP and SHTML files. The sent email has the following characteristics:
Subject line - one of the following:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions
Message text - chosen from the following three options:
"EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing"
"Restricted area response team (RART)
Attachment you sent to <UserName> is really good :-)
Well done!
SMTP session error #450: service not ready"
"<See this in attached files
<<New PICS of Avril Lavigne!!!
<<It is honourable when you do it!!!"
Attached file - one of:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
The worm creates the text file <WinTemp>\randomname.txt containing information about the author of the worm.
W32/Avril-C drops itself into the Windows system folder with a random name and sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Mortimer=
<System>\randomname.exe
The worm also sets the following registry entry:
HKLM\Software\OvG\Mutter\[Default] = SONNE
Like W32/Avril-A, W32/Avril-C terminates AV products and sends cached passwords to the author, but W32/Avril-C does not spread via IRC, ICQ or KaZaA. On the 7th and 24th of any month the worm opens up IE to http://www.avril-lavigne.com and randomly moves the mouse cursor on the screen.