Malware Name: WORM_LIRVA.C
Aliases: None
Risk Rating: Medium
Brief Description:
This mass-mailing worm propagates via email, mapped network-shared drives,
IRC, ICQ and KaZaA Peer-to-Peer file sharing. It arrives through email
with the following details:
Subject: (any of the following)
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
Body: (any of the following)
AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list.
Orginal Message:
Or
Network Associates weekly report:
Microsoft has identified a security vulnerability in MicrosoftIIS 4.0
and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the
vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have
not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support:
Or
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:
Attachment: (any of the following)
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
It does not require the email receiver to open the attachment for it
to execute. It uses a vulnerability in Internet Explorer-based email
clients to execute the file attachment automatically, known as Automatic
Execution of Embedded MIME type.
More information about this vulnerability is available at Microsoft's
Security Bulletin.
This malware also retrieves cached passwords and sends them to a
specific email address and has the capability to terminate certain antivirus programs.
The worm runs on Windows 95, 98, NT, 2000, XP, and ME.
Trend Micro will shortly deliver a pattern file to its customers. Other Internet users can use HouseCall, Trend Micro`s free online virus scanner, which can be found at http://housecall.trendmicro.com/
For more information, please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIR
VA.C
Or contact:
Anna Wright,
Trend Micro Europe,
+44 (0)1628 400 534
Anna_wright@trendmicro.co.uk
Lammers van Toorenburg PR
Francine Loos
Tel: +31 (0)30 6565 070
E-mail: francine@lvtpr.nl