Win32:Naith (also known as Avril, Lirva)
is an Internet worm that copies itself into the Windows system folder under a random name and sets following registry entry to execute itself automatically when Windows starts up.HKLM\Software\Microsoft\Windows\CurrentVersion\ RunAvril Lavigne - Muse
Win32:Naith spreads by sending itself to email addresses gathered from
the DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH and IDX files. The email
has the following characteristics:
Subject: one of the following strings:
Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger
Message body can have three different alternatives:
"Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below"
"Restricted area response team (RART)
Attachment you sent to
start address at 0000:HH4F
To prevent from the further buffer overflow attacks
apply the MSO-patch"
"Microsoft has identified a security vulnerability in
Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0
who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft®Tech
Support:"
The attached file can have one of the following names:
AvrilLavigne.exe
AvrilSmiles.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
Download.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Readme.exe
Resume.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
Two-Up-Secretly.exe
The worm uses the well known security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express to run itself even without user activation. It is also able to spread across networks by copying itself under a random name into the root folder or the RECYCLED folder of remote shared drives. The worm then appends a line (e.g. "@win RECYCLED andomname.exe") to the autoexec.bat to execute itself on the other machine. It can also send itself to ICQ users and spread via mIRC.
The worm also creates the following registry keys:
HKLM\Software\OvG\Avril Lavigne=Done
HKLM\Software\OvG\Avril Lavigne\PSW-Trojan=1
The worm drops itself into the KaZaA folder and creates the file avril-ii.inf in the temporary folder. It also tries to terminate many anti-virus products and puts several copies of itself onto the hard disk with random names.
When the system date is set to the 7th, 11th and 24th (of any month), Win32:Naith opens the home page of scater-punk group Avril Lavigne in Internet Explorer and display coloured ellipses together with the text "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg".
The worm can collect the cached passwords and send them to a Russian email address.
Variants:
There are several variants of this worm known to date. These can use
different subjects, message bodies and attachment names.
Any avast! with VPS file dated on or after 9th January 2003 is able to detect this worm.
