Fact Check

Lirva Virus

Information about the 'Lirva' worm.

Published Jan. 12, 2003


Virus name:   Lirva (also known as W32.Lirva.A@mm).

Status:   Real.

Example:   [Collected on the Internet, 2003]

There is a new virus moving around pretty quickly. It's called W32.Lirva.A@mm. This is a mass-mailing worm that propagates itself via email and open network shares (chat programs, file sharing programs, etc).
It attempts to stop anti-virus software and firewalls as well as email cached passwords from your system to the author of the virus. On the 7th, 11th and 24th of each month it will open your browser to www.avril-lavigne.com and display a graphic animation on your desktop. This worm takes advantage of a vulnerability in MS Outlook which allows the virus to auto-execute when previewed.

Origins:   The message quoted above is a good description of Lirva (a handle taken from the first name of singer Avril Levigne spelled backwards), a mass-mailing worm that also spreads through file-sharing programs (such as IRC, ICQ, and KaZaA) and attempts to terminate antivirus and firewall products on infected systems. One of the more "amusing" aspects of this worm is that on the 7th, 11th, and 24th day of each month, it launches web browsers on infected systems and loads the www.avril-lavigne.com web site while displaying a graphic animation on the desktop.

Microsoft Outlook users who read or preview a message with a Lirva attachment can be infected through
a vulnerability in Outlook; a patch is available from Microsoft to close this vulnerability.

Messages containing the Lirva worm are generally sent out with one of the following subject lines:

  • Fw: Prohibited customers...

  • Re: Brigade Ocho Free membership

  • Re: According to Daos Summit

  • Fw: Avril Lavigne - the best

  • Re: Reply on account for IIS-Security

  • Re: ACTR/ACCELS Transcriptions

  • Re: The real estate plunger

  • Fwd: Re: Admission procedure

  • Re: Reply on account for IFRAME-Security breach

  • Fwd: Re: Reply on account for Incorrect MIME-header

The enclosed message text will usually be one of the following:

  • Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support:
  • Restricted area response team (RART) Attachment you sent to [e-mail address] is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
  • Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below

And the file name of the infected attachment will match one of the following:

  • Resume.exe

  • Download.exe

  • MSO-Patch-0071.exe

  • MSO-Patch-0035.exe

  • Two-Up-Secretly.exe

  • Transcripts.exe

  • Readme.exe

  • AvrilSmiles.exe

  • AvrilLavigne.exe

  • Complicated.exe

  • Singles.exe

  • Sophos.exe

  • Cogito_Ergo_Sum.exe

  • CERT-Vuln-Info.exe

  • Sk8erBoi.exe

  • IAmWiThYoU.exe

Symantec provides a removal tool for Lirva on its web site.

Additional Information:

    W32.Lirva.A@mm W32.Lirva.A@mm (Symantec Security Response)

Last updated:   28 January 2008

David Mikkelson founded the site now known as snopes.com back in 1994.