W32/Avril-A

Please read the instructions for disinfecting W32/Avril-A.

W32/Avril-A is an internet worm that copies itself into the Windows system folder using a random name and sets following registry entry to run itself automatically when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Avril Lavigne - Muse = <System folder>\randomname.exe

The following registry entries are also created:
HKLM\Software\OvG\Avril Lavigne=Done
HKLM\Software\OvG\Avril Lavigne\PSW-Trojan=1

W32/Avril-A drops itself into the KaZaA folder with one of the filenames shown below and creates the file <Windows Temp>\avril-ii.inf.

The worm terminates anti-virus products and drops several copies of itself onto the hard disk with random names.

On the 7th, 11th and 24th of any month, W32/Avril-A will open up Microsoft Internet Explorer to www.avril-lavigne.com, display coloured ellipses in the middle of the screen and display "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg" in the top left corner of the screen.

The worm can send cached passwords to a Russian email address.

W32/Avril-A spreads by sending itself to email addresses gathered from DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH and IDX files, stored in <Windows>\listrecp.dll.

The emails will have the following characteristics:
Subject line - randomly selected from one of the following 10:
Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger

Message body - chosen from 3 alternatives:
"Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below"

"Restricted area response team (RART)
Attachment you sent to <UserName> is intended to overwrite
start address at 0000:HH4F
To prevent from the further buffer overflow attacks
apply the MSO-patch"

"Microsoft has identified a security vulnerability in
Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0
who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft®Tech Support:"

Attached file - one of the following:
AvrilLavigne.exe
AvrilSmiles.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
Download.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Readme.exe
Resume.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
Two-Up-Secretly.exe

It is not necessary for a user to double-click on the attachment to become infected as this worm can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)

W32/Avril-A tries to spread across networks by copying itself with a random name into the root folder or the RECYCLED folder of shared drives. The worm then appends a line (e.g. "@win \RECYCLED\randomname.exe") to autoexec.bat to run itself on the remote machine. The worm is also capable of sending itself to ICQ users and spreading via mIRC.