Virus name: Lirva (also known as W32.Lirva.A@mm).
Example: [Collected on the Internet, 2003]
There is a new virus moving around pretty quickly. It’s called W32.Lirva.A@mm. This is a mass-mailing worm that propagates itself via email and open network shares (chat programs, file sharing programs, etc).
It attempts to stop anti-virus software and firewalls as well as email cached passwords from your system to the author of the virus. On the 7th, 11th and 24th of each month it will open your browser to www.avril-lavigne.com and display a graphic animation on your desktop. This worm takes advantage of a vulnerability in MS Outlook which allows the virus to auto-execute when previewed.
Origins: The message quoted above is a good description of Lirva (a handle taken from the first name of singer Avril Levigne spelled backwards), a mass-mailing worm that also spreads through file-sharing programs (such as IRC, ICQ, and KaZaA) and attempts to terminate antivirus and firewall products on infected systems. One of the more “amusing” aspects of this worm is that on the 7th, 11th, and 24th day of each month, it launches web browsers on infected systems and loads the
Microsoft Outlook users who read or preview a message with a Lirva attachment can be infected through
a vulnerability in Outlook; a patch is available from Microsoft to close this vulnerability.
Messages containing the Lirva worm are generally sent out with one of the following subject lines:
- Fw: Prohibited customers…
- Re: Brigade Ocho Free membership
- Re: According to Daos Summit
- Fw: Avril Lavigne – the best
- Re: Reply on account for IIS-Security
- Re: ACTR/ACCELS Transcriptions
- Re: The real estate plunger
- Fwd: Re: Admission procedure
- Re: Reply on account for IFRAME-Security breach
- Fwd: Re: Reply on account for Incorrect MIME-header
The enclosed message text will usually be one of the following:
- Microsoft has identified a security vulnerability in Microsoft®
IIS 4.0and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support:
- Restricted area response team (RART) Attachment you sent to
- Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I’m with you! Admission form attached below
And the file name of the infected attachment will match one of the following:
Symantec provides a removal tool for Lirva on its web site.
|W32.Lirva.A@mm (Symantec Security Response)|
Last updated: 28 January 2008