Lirva worm is spreading

An e-mail worm spreading on the Internet lures victims with a mention of plucky Canadian singer Avril Lavigne, then steals Microsoft Windows passwords and sends them to e-mail addresses in Russia, according to alerts posted by a number of antivirus software vendors.

 An e-mail worm spreading on the Internet lures victims with a mention of plucky Canadian singer Avril Lavigne, then steals Microsoft Windows passwords and sends them to e-mail addresses in Russia, according to alerts posted by a number of antivirus software vendors.

The worm, W32/Lirva, spreads by retrieving e-mail addresses from a variety of files stored on a computer’s hard drive, then sending copies of itself to those addresses in the form of an executable e-mail attachment, according to information posted on the Web site of Helsinki-based security company F-Secure.

Subject lines for infected e-mail include: “Avril Lavigne – the best,” “Reply on account for IIS-Security,” and “According to Daos Summit,” F-Secure said.

In addition to stealing passwords, the worm launches – on the seventh, 11th, and 24th of any month – Internet Explorer, connects to an Avril Lavigne Web site, and displays a colored graphic on the infected computer’s desktop with the message:

“Avril_Lavigne_Let_Go – My_Muse : ) 2002 (c) Otto von Gutenberg.”

The worm, which only affects Microsoft Windows operating systems, is contained in a wide range of attachments including “AvrilSmiles.exe,” “AvrilLavigne.exe,” “resume.exe,” and “Readme.exe,” F-Secure said.

The virus also poses as a Microsoft security patch stored in attachments named “MSO-Patch-0071.exe” and “MSO-Patch-0035.exe,” among many others, according to Sophos.

Lirva exploits a well-known security vulnerability in the Microsoft’s Internet Explorer Web browser, Outlook and Outlook Express e-mail applications. That vulnerability allows the executable file to be launched without user interaction when an e-mail message is opened, or viewed using Outlook’s preview feature, according to Sophos.

Microsoft patched the vulnerability, MS01-020. Software updates for the affected products are available on the company’s Web site. (See this Microsoft security bulletin and another Microsoft security bulletin.)

In addition to using e-mail messages to spread, Lirva is capable of spreading over computer networks and the Kazaa peer-to-peer network by copying itself to shared folders on other computers or tricking users into downloading and running it. The worm is also able to spread over Internet Relay Chat (IRC) networks, according to F-Secure.

The new worm is currently rated a “low” risk by Symantec and a “medium” risk on Network Associates’ McAfee Web site.

Antivirus software companies provided updated virus profiles for the Lirva worm and recommended that their customers update their antivirus software to include the new profiles.

Most vendors also provided instructions and software utilities for removing the virus from machines that have already been infected.