http://www.pcworld.com/news/article/0,aid,108611,00.aspLirva Worm Exploits Outlook, IE Security Flaws
New threat is spreading via e-mail and computer networks, posing as a message about singer Avril Lavigne or a Microsoft security patch.
Paul Roberts, IDG News Service
Thursday, January 09, 2003
A new e-mail worm that is spreading on the Internet lures victims with a mention of plucky Canadian singer Avril Lavigne, then steals Microsoft Windows passwords and sends them to e-mail addresses in Russia, according to alerts posted by a number of antivirus software vendors.
The worm, W32/Lirva, spreads by retrieving e-mail addresses from a variety of files stored on a computer's hard drive, then sending copies of itself to those addresses in the form of an executable e-mail attachment, according to information posted on the Web site of Helsinki-based security company F-Secure.
Subject lines for infected e-mail include: "Avril Lavigne - the best," "Reply on account for IIS-Security," and "According to Daos Summit," F-Secure said.
Password Problems
In addition to stealing passwords, the worm launches--on the 7th, 11th, and 24th of any month--Internet Explorer, connects to an Avril Lavigne Web site, and displays a colored graphic on the infected computer's desktop with the message:
"Avril_Lavigne_Let_Go - My_Muse : ) 2002 (c) Otto von Gutenberg."
The worm, which affects only Windows operating systems, is contained in a wide range of attachments including "AvrilSmiles.exe," "AvrilLavigne.exe," "resume.exe," and "Readme.exe," F-Secure said.
Posing as a Patch
The virus also poses as a Microsoft security patch stored in attachments named "MSO-Patch-0071.exe" and "MSO-Patch-0035.exe," among many others, according to Sophos.
Lirva exploits a well-known security vulnerability in Microsoft's Internet Explorer Web browser and Outlook and Outlook Express e-mail applications. That vulnerability allows the executable file to be launched without user interaction when an e-mail message is opened, or viewed using Outlook's preview feature, according to Sophos.
Microsoft patched the vulnerability, with MS01-020. Software updates for the affected products are available on the company's Web site.
Still Spreading
In addition to using e-mail messages to propagate, Lirva is capable of spreading over computer networks and the Kazaa peer-to-peer network by copying itself to shared folders on other computers or tricking users into downloading and running it. The worm is also able to spread over Internet Relay Chat networks, according to F-Secure.
The new worm is currently rated a "low" risk by Symantec and a "medium" risk on Network Associates' McAfee Web site.
Antivirus software companies have provided updated virus profiles for the Lirva worm and have recommended that their customers update their antivirus software to include the new profiles.
Most vendors also have provided instructions and software utilities for removing the virus from machines that have already been infected.