VIRUS INFO
Naziv virusa:	I.Worm.Avril.C
Alias:	W32.Lirva C@mm, I-Worm.Avron, W32/Avril.gen@MM , W32/Lirva@MM, Worm/Naith.C, Otto Von Gutenberg
Tip:	worm
Način širenja:	e-mailom startovanjem pristiglog attachmenta, ICQ i mIRC
Veličina:	34 815 bajtova kompresovan
Destruktivan:	ne
Datum aktiviranja:	odmah i 7, 11 i 24 u mesecu
Otkriven:	10.01.2003.

OBJAŠNJENJE
Ovo je još jedna varijanta crva Worm.Avril.A.

Stiže kao e-mail u HTML formatu sa sledećim karaktaristikama:

Subject može da ima u naslovu sledeće:
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?

Telo poruke:
Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date
Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!
AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list .>.>

Attachment može biti jedan od sledećih fajlova:
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
<nasumično odabrana slova>.TXT
<nasumično odabrana slova>.DOC

U rootu diska C mogu da se pronaađu sledeći fajlovi:
Resume.exe, ADialer.exe, MSO-Patch-0071.exe, MSO-Patch-0035.exe, Two-Up-Secretly.exe, Transcripts.exe, Readme.exe, AvrilSmiles.exe, AvrilLavigne.exe, Complicated.exe, TrickerTape.exe, Singles.exe, Sophos.exe, Cogito_Ergo_Sum.exe, CERT-Vuln-Info.exe, Sk8erBoi.exe, IAmWiThYoU.exe, Phantom.exe, EntradoDePer.exe, SiamoDiTe.exe, BioData.exe ili ALavigne.exe.

U samom kôdu crv može pronaći sledeći detalj:
2002 (c) Otto von Gutenberg
Made in .::]|KaZAkHstaN|[::.
As stated before, purpose is only educational, however...

I'm back to the scene with one more gift |Avril-II| (remember 'A' version of Avril-II)
HINT:NB: NEVER ACCEPT GIFTS FROM THE STRANGER
Avril-II is commonly dangerous because of its over-trojaned issues
Greetz to Brigada Ocho (http://vx.netlux.org/~b8), Darkside Project (http://darkside.dtn.ru) and Weisses Fleisch Project (http://wf.h1.ru)
Many thankx to my muse Avril Lavigne whose beauty causes work to flow rapidly
New features included: ICQ/IrC/ShaReD (urgently persuade to check it instantly)
BackOrifice-server dropper will be included next time

Cheerz, Otto (www.otto-koden.h1.ru)

Ostale detalje potražite u opisu Worm.Avril.A.

REŠENJE
Preuzmite cleaner. ( )
Treba uvek imati osveženi antivirusni program.