WORM_LIRVA.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_LIRVA.A

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32/Avril-A, Win32/Naith.A@mm, W32/Lirva.b@MM, I-Worm/Naith.B, W32/LirvA, Win32.Lirva.A, W32/Lirva.C@mm, I-Worm.Avron.c

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95/98/NT/2000/XP/ME

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:
This mass-mailing worm propagates via email, mapped network-shared drives, IRC, ICQ and KaZaA Peer-to-Peer file sharing.

It arrives attached on email with the following details:

Subject: (any of the following)

Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

Message body: (any of the following)

Restricted area response team (RART)
Attachment you sent to %string% is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
(*Where %string% is the same as the FROM field)

Or

Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support:

Or

Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below

Attachment: (any of the following)
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe

The infected attachment automatically executes (without a user opening it) on recipient machines with unpatched Internet Explorer 5.01 and 5.5, since the worm email is constructed to contain an exploit on the known vulnerability Automatic Execution of Embedded MIME type. More information on this vulnerability is available at the Microsoft article, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.

This worm, which runs on Windows 95, 98, ME, NT, 2000, and XP, also retrieves cached passwords and sends them to a specific email address. It also terminates certain antivirus programs.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 7, 2003 8:08:34 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.