This section helps you to understand how it behaves
W32/Avril-B is an internet worm which spreads via email. W32/Avril-B is an
extended variant of W32/Avril-A. For information on the generic features of
W32/Avril-B see the description of W32/Avril-A.
W32/Avril-B differs from W32/Avril-A as follows.
The format of the sent email has changed to the following:
Subject line - one of the following 16:
Fw: Avril Lavigne - CHART ATTACK!
Fw: F. M. Dostoyevsky "Crime and Punishment"
Fw: Redirection error notification
Fwd: Re: Have U requested Avril Lavigne bio?
Fwd: Re: Reply on account for Incorrect MIME-header
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Re: According to Purge's Statement
Re: ACTR/ACCELS Transcriptions
Re: Brigada Ocho Free membership
Re: Ha perduto qualque cosa signora?
Re: IREX admits you to take in FSAU 2003
Re: Junior Achievement
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security Breach (TFTP)
Re: Vote seniors masters - don't miss it!
Message text - may contain one of the following 4 alternatives, but they
might be skipped and hence not included:
"AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:"
"Restricted area response team (RART)
Attachment you sent to is intended to overwrite
start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch"
"Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft®
IIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who
have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft® Tech Support:"
"AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>"
Attachment exe - one of the following 21:
ADialer.exe
ALavigne.exe
AvrilLavigne.exe
AvrilSmiles.exe
BioData.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
EntradoDePer.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Phantom.exe
Readme.exe
Resume.exe
SiamoDiTe.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
TrickerTape.exe
Two-Up-Secretly.exe
The worm may also attach a TXT, HTM, DOC or HTML file to the email from the
Personal folder of the user.
W32/Avril-B tries to update itself from the web and also tries to download a
backdoor Trojan (apparently Back Orifice 2K) from the web and run it on the
user's computer. At the time of this writing the corresponding URL was
unavailable. The worm would download the backdoor Trojan into <Windows
system>\bo2k.exe and set the following registry entry:
HKLML\Software\Microsoft\Windows\CurrentVersion\Run\SocketListener =
<Windows system>\bo2k.exe
W32/Avril-B drops a different version of the text file avril-ii.inf and
sends the cached passwords to different email addresses.
The payload has also been changed slightly, in that the text displayed in
the top left corner of the screen is now "AVRIL_LAVIGNE_LET_GO - MY_MUSE:)
VOTE FOR I'm With YoU.
