W32/Avril-C

Please read the instructions for disinfecting W32/Avril-C.

W32/Avril-C is a worm that spreads in local networks (see W32/Avril-A for further information) and on the internet by sending emails to email addresses gathered from DBX, MBX, WAB, HTML, EML, HTM, ASP and SHTML files. The sent email has the following characteristics:

Subject line - one of the following:
Fw: IREX Fields Description
Re: ACCELS Awards results for 2003
Re: Avril Fans will rock you
Fw: Avril Lavigne - the best
Re: Antique themes
Re: ACTR/ACCELS Transcriptions

Message text - chosen from the following three options:

"EDUCATIONAL PURPOSE
Avril fans subscription
I wish you the sweetest thing"

"Restricted area response team (RART)
Attachment you sent to <UserName> is really good :-)
Well done!
SMTP session error #450: service not ready"

"<See this in attached files
<<New PICS of Avril Lavigne!!!
<<It is honourable when you do it!!!"

Attached file - one of:
Resume.exe
ACTR_Form.exe
AvrilFans.exe
PDF_Desc.exe
XXX_Teens.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe

The worm creates the text file <WinTemp>\randomname.txt containing information about the author of the worm.

W32/Avril-C drops itself into the Windows system folder with a random name and sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Mortimer=
<System>\randomname.exe

The worm also sets the following registry entry:

HKLM\Software\OvG\Mutter\[Default] = SONNE

Like W32/Avril-A, W32/Avril-C terminates AV products and sends cached passwords to the author, but W32/Avril-C does not spread via IRC, ICQ or KaZaA. On the 7th and 24th of any month the worm opens up IE to http://www.avril-lavigne.com and randomly moves the mouse cursor on the screen.