Back To MYTECH

Lirva.A

Computer Virus Year 2003 Started with a Bang - Four new widespread worms found in two days


F-Secure is alerting computer users as four new internet worms are crawling across the globe. These new Windows worms were found on 8th and 9th of January, 2003 and they are known as (in order of appearance) Lirva.A, ExploreZip.E, Lirva.B and Sobig.

"Several new viruses are found every day, there's nothing special with that",says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "But it is not normal to find four new viruses which are all successfully spreading in the wild within two days."

F-Secure Corporation has released a Level 2 Radar alert on all these viruses, indicating that system administrators and end users should make sure their systems are protected.
Level 2 is the second highest alert level under F-Secure Radar alerting system. F-Secure made 27 Level 2 alerts during all
of year 2002 (and two Level 1 alerts).

"Apart from the two Lirva variants, these viruses are not related to each other - this does not seem to be a coordinated attack", comments Hypponen.
"It seems we just got a really bad start for this year".

Information of the four viruses follow:

Lirva.A
Symantec Security Response has upgraded the W32.Lirva.A@mm threat from a Category 2 to a Category 3
Also Known As: W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA]
Type: Worm
Infection Length: 32,766 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Lirva (or Arvil) is a mass-mailing worm that uses several methods to spread.
Besides email the worm uses ICQ and IRC chat networks and Kazaa file sharing network to spread. It also propagates through shared folders and Windows network drives. Lirva has functionality to disable several antivirus and security applications if it notices their presence. If the worm is active in the system it tries to steal passwords and send them to an external email address.

E-mails sent by Lirva vary a lot, but they often make references to Avril Lavigne, Canadian rocker who was nominated for five Grammy awards just two days ago. Apparently the virus was written by a Kazakhstan-based fan of the artist. When Lirva worm activates, it tries to open the official web site of Avril Lavigne and starts a graphical screen effect consisting of coloured, moving circles.


Lirva.B

Functionally Lirva.B is very close to the original Lirva virus. It has been modified to evade detection of some anti-virus software. Another difference is that Lirva.B fakes the sender address of infected e-mails, replacing the address of the infected user with the e-mail address of a random innocent bystander. The real e-mail address of the infected user can often be found from the e-mail's "Return-Path" header.

Due to the increasing threat posed by Lirva, Panda Software has made the PQREMOVE utility available to all users. This application is designed to repair the possible damage that the virus could inflict on computers and can be downloaded from;
http://www.pandasoftware.com/download/utilities/


ExploreZip.E

ExploreZip is an internet worm which was first found in June 1999.
The original version (ExploreZip.A) spread all over the globe within days of initial discovery, becoming first of the really widespread internet worms.
After this, several modified versions of this worm has been found.

On the 8th of January, 2003 - three and half years after the virus was first seen ExploreZip.E was found.
This version was modified so that it was undetectable to most anti-virus programs. The worm functionality had stayed the same. All of the ExploreZip variants spread as an e-mail attachment and activate by destroying Microsoft Office documents and source code files from infected computers and from local networks. The worm modifies an infected computer so that the worm will reply to unread e-mails, sending dummy e-mail replies with an infected attachment.


Sobig

Sobig is an e-mail and network worm, sending itself around as a PIF e-mail attachment. The worm has remote control functionality through which the virus writer can control infected computers.

Detailed technical descriptions of these worms as well as a screenshot of the Lirva virus activation circle routine are available in the F-Secure Virus Description database at http://www.f-secure.com/v-descs/

F-Secure Anti-Virus can detect and stop all the mentioned viruses.

More Information;


Symantec Security Response has upgraded the W32.Lirva.A@mm threat from a Category 2 to a Category 3 as of January 9, 2003.
http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html>

Win32.Lirva.A and Win32.ExploreZip.91048 Worms
http://support.ca.com/techbases/ilnt/virusalert2.html

More information about W32/Avril-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32avrila.html

More Information about W32/ExploreZi-N can be found at
http://www.sophos.com/virusinfo/analyses/w32explorezin.html

What is Worm/ExplorerZip.E
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=030108-000016

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page

See my Anti-Virus pages

A Technical Support Alliance Charter Member
12/01/2003