W32.LIRVA.A@MM
WORM SPREADS IN THE WILD
Virus Name : W32.Lirva.A@mm
Alias : I-Worm.Lirva, W32/Avril-A,
WORM_LIRVA.A, W32.Naith.A
Virus type : Internet
worm
Threat
level : Low
Virus
details :
Lirva is a mass mailing Internet
worm, spreads through e-mail, ICQ, IRC, KaZaA and open network shares.
The message body and subject is randomly chosen from the worm body. It collects
e-mail addresses from DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML,
NCH and IDX files to send infected messages.
The
content of the message body selected from one of the
following:
"Microsoft
has identified a security vulnerability in Microsoft® IIS 4.0
and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0
who have not already done so
to apply the patch immediately."
"Avril fans
subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below
Patch is also provided to subscribed list of Microsoft® Tech
Support"
"Restricted area response team (RART)
Attachment you sent to VKC is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch"
When the infected
attachment is executed, the worm copies itself to
Windows system folder using a random file name and modifies
the registry to load automatically. The worm also
creates new key in the registry in the Run section. The registry modification is given
below.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Avril Lavigne -
Muse=%system%\<random
file name>
Lirva uses IFRAME
vulnerability to infect. When the user views the e-mail the
embedded code is executed automatically and it
drops the virus. Microsoft released security
patches to close this security hole. If you
haven't installed, you can get a copy at http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
Lirva sends infected messages using its own SMTP
engine. It has the ability to spread through open network
shares. If open share found, Lirva copies to RECYCLED folder or Root drive and
modifies autoexec.bat file to load automatically. If ICQ is
installed, it sends its copy to all the contacts stored. It
mIRC installed, it modifies SCRIPT.INI to infect other users.
If KaZaA installation found, it copies to KaZaA download
folder with a random name.
Lirva terminates antivirus and security
programs installed in the system and copies to random file
names. Its payload is limited to display colored ellipses and
a message "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg"
On 7th, 11th and 24th of every month.
How can I protect my
system?
Solo has incorporated W32.Lirva.A@mm in its signature file to protect
users from this worm attack. Solo antivirus
registered users are already protected from this
worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
How
to remove this worm?
If you are already
infected with this worm, download and install
security patches from the link http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp according to your
Internet Explorer version. Then run Solo
anti-virus to remove the worm components.
Solo
antivirus can detect and remove W32.Lirva.A@mm
safely. Use the following link to Download
30 day trial version of Solo antivirus
to
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
You can
purchase Solo antivirus using the link 
|
