Lirva Worm Exploits Outlook, IE Security Flaws

Discussion in 'malware problems & news' started by Smokey, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Lirva Worm Exploits Outlook, IE Security Flaws

    New threat is spreading via e-mail and computer networks, posing as a message about singer Avril Lavigne or a Microsoft security patch.

    Paul Roberts, IDG News Service
    Thursday, January 09, 2003

    A new e-mail worm that is spreading on the Internet lures victims with a mention of plucky Canadian singer Avril Lavigne, then steals Microsoft Windows passwords and sends them to e-mail addresses in Russia, according to alerts posted by a number of antivirus software vendors.

    The worm, W32/Lirva, spreads by retrieving e-mail addresses from a variety of files stored on a computer's hard drive, then sending copies of itself to those addresses in the form of an executable e-mail attachment, according to information posted on the Web site of Helsinki-based security company F-Secure.

    Subject lines for infected e-mail include: "Avril Lavigne - the best," "Reply on account for IIS-Security," and "According to Daos Summit," F-Secure said.

    Password Problems
    In addition to stealing passwords, the worm launches--on the 7th, 11th, and 24th of any month--Internet Explorer, connects to an Avril Lavigne Web site, and displays a colored graphic on the infected computer's desktop with the message:

    "Avril_Lavigne_Let_Go - My_Muse : ) 2002 (c) Otto von Gutenberg."

    The worm, which affects only Windows operating systems, is contained in a wide range of attachments including "AvrilSmiles.exe," "AvrilLavigne.exe," "resume.exe," and "Readme.exe," F-Secure said.

    Posing as a Patch
    The virus also poses as a Microsoft security patch stored in attachments named "MSO-Patch-0071.exe" and "MSO-Patch-0035.exe," among many others, according to Sophos.

    Lirva exploits a well-known security vulnerability in Microsoft's Internet Explorer Web browser and Outlook and Outlook Express e-mail applications. That vulnerability allows the executable file to be launched without user interaction when an e-mail message is opened, or viewed using Outlook's preview feature, according to Sophos.

    Microsoft patched the vulnerability, with MS01-020. Software updates for the affected products are available on the company's Web site.

    Still Spreading
    In addition to using e-mail messages to propagate, Lirva is capable of spreading over computer networks and the Kazaa peer-to-peer network by copying itself to shared folders on other computers or tricking users into downloading and running it. The worm is also able to spread over Internet Relay Chat networks, according to F-Secure.

    The new worm is currently rated a "low" risk by Symantec and a "medium" risk on Network Associates' McAfee Web site.

    Antivirus software companies have provided updated virus profiles for the Lirva worm and have recommended that their customers update their antivirus software to include the new profiles.

    Most vendors also have provided instructions and software utilities for removing the virus from machines that have already been infected.

    Original article at: http://www.pcworld.com/news/article/0,aid,108611,00.asp

    personal note: this worm has already knocked on my door last week.......

    Take care of yourself! :rolleyes:
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Smokey,

    Here is the older thread posted by Jack under the Heading of Naith which is another name for this badboy...at this link you will also find free tools to clean this exploit off your system if you get caught without your Trusty Security Software running.

    http://www.wilderssecurity.com/showthread.php?t=6058
     
  3. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Hi Primrose!

    Excusez moi, maybe I need new glasses? :cool:
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    No way..these AV companies need to start using a Common Naming Base that makes sense. ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.