Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


W32.LIRVA.A@MM WORM SPREADS IN THE WILD

Virus Name  : W32.Lirva.A@mm

Alias             : I-Worm.Lirva, W32/Avril-A, WORM_LIRVA.A, W32.Naith.A

Virus type    : Internet worm

Threat level : Low

Virus details :

                     Lirva is a mass mailing Internet worm, spreads through e-mail, ICQ, IRC, KaZaA and open network shares. The message body and subject is randomly chosen from the worm body. It collects e-mail addresses from DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH and IDX files to send infected messages.  

The content of the message body selected from one of the following:

"Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately."

"Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below

Patch is also provided to subscribed list of Microsoft® Tech Support"

"Restricted area response team (RART)
Attachment you sent to VKC is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch"

                     When the infected attachment is executed, the worm copies itself to Windows system folder using a random file name and modifies the registry to load automatically. The worm also creates new key in the registry in the Run section. The registry modification is given below.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Avril Lavigne - Muse=%system%\<random file name>

                     Lirva uses IFRAME vulnerability to infect. When the user views the e-mail the embedded code is executed automatically and it drops the virus. Microsoft released security patches to close this security hole. If you haven't installed, you can get a copy at http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

                     Lirva sends infected messages using its own SMTP engine. It has the ability to spread through open network shares. If open share found, Lirva copies to RECYCLED folder or Root drive and modifies autoexec.bat file to load automatically. If ICQ is installed, it sends its copy to all the contacts stored. It mIRC installed, it modifies SCRIPT.INI to infect other users. If KaZaA installation found, it copies to KaZaA download folder with a random name.

                     Lirva terminates antivirus and security programs installed in the system and copies to random file names. Its payload is limited to display colored ellipses and a message "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg" On 7th, 11th and 24th of every month.

How can I protect my system?

                   Solo has incorporated W32.Lirva.A@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, download and install security patches from the link http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp according to your Internet Explorer version. Then run Solo anti-virus to remove the worm components.

                   Solo antivirus can detect and remove W32.Lirva.A@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link