There is a new virus moving around pretty quickly. It's called W32.Lirva.A@mm. This is a mass-mailing worm that propagates itself via email and open network shares (chat programs, file sharing programs, etc).
It attempts to stop anti-virus software and firewalls as well as email cached passwords from your system to the author of the virus. On the 7th, 11th and 24th of each month it will open your browser to www.avril-lavigne.com and display a graphic animation on your desktop. This worm takes advantage of a vulnerability in MS Outlook which allows the virus to auto-execute when previewed.
Origins: The message quoted above is a good description of Lirva (a handle taken from the first name of singer Avril Levigne spelled backwards), a mass-mailing worm that also spreads through file-sharing programs (such as IRC, ICQ, and KaZaA) and attempts to terminate antivirus and firewall products on infected systems. One of the more "amusing" aspects of this worm is that on the 7th, 11th, and 24th day of each month, it launches web browsers on infected systems and loads the www.avril-lavigne.com web site while displaying a graphic animation on the desktop.
Microsoft Outlook users who read or preview a message with a Lirva attachment can be infected through
a vulnerability in Outlook; a patch is available from Microsoft to close this vulnerability.
Messages containing the Lirva worm are generally sent out with one of the following subject lines:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
The enclosed message text will usually be one of the following:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support:
Restricted area response team (RART) Attachment you sent to [e-mail address] is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
And the file name of the infected attachment will match one of the following: