W32.Lirva.A@mm
Discovered on: January 07, 2003
Last Updated on: January 09, 2003 03:53:39 AM








Due to an increase in submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3 as of January 9, 2003.

W32.Lirva.A is a mass-mailing worm that also spreads by the IRC, ICQ, KaZaA, and open network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer.

When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.



Also Known As: W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA]
Type: Worm
Infection Length: 32,766 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
CVE References: CVE-2001-0154


Virus Definitions (Intelligent Updater) *
January 07, 2003


Virus Definitions (LiveUpdate™) **
January 07, 2003



*
Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.








Wild:

Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Threat Metrics


Wild:
Medium
Damage:
Medium
Distribution:
High





Damage

Payload Trigger: If the day of the month is the 7th, 11th, or 24th
Payload: Opens a website and displays an image on the Windows desktop.
Large scale e-mailing: Sends email to addresses found by searching the Windows Address Book and files that have the extensions .dbx, .mbx, .wab, .html, .eml, .htm, .tbb, .shtml, .nch, and .idx
Releases confidential info: Emails cached Windows 95/98/Me dial-up networking passwords to the virus writer
Compromises security settings: Attempts to terminate antivirus and firewall products
Distribution

Subject of email: Various subject lines
Name of attachment: Various attachment names
Size of attachment: 32,766 bytes
Shared drives: Spreads by IRC, ICQ, KaZaA, and open network shares


When W32.Lirva.A is executed, it does the following:


1. Terminates all the processes with these names:
_Avp32.exe
_avpcc.exe
_avpm.exe
Ackwin32.exe
Anti-trojan.exe
Apvxdwin.exe
Autodown.exe
Avconsol.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avpmon.exe
Avpnt.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfind.exe
Claw95.exe
Claw95ct.exe
Cleaner.exe
Cleaner3.exe
Dv95.exe
Dv95_o.exe
Dvp95.exe
Ecengine.exe
Efinet32.exe
Esafe.exe
Espwatch.exe
F-agnt95.exe
Findviru.exe
Fprot.exe
F-prot.exe
F-prot95.exe
Fp-win.exe
Frw.exe
F-stopw.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmoon.exe
Icssuppnt.exe
Icsupp95.exe
Iface.exe
Iomon98.exe
Jed.exe
Kpf.exe
Kpfw32.exe
Lockdown2000.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scan.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navsched.exe
Navw.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7.exe
Rav7win.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Tds2-nt.exe
Vet95.exe
Vettray.exe
Vsecomr.exe
Vshwin32.exe
Vsscan40.exe
Vsstat.exe
Webscan.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe

2. Inventories all the windows and terminates any processes that have the following strings in the title bar of the window:
virus
anti
McAfee
Virus
Anti
AVP
Norton

3. Copies itself as Hidden system files to:
%Temporary%\<random string>
%Temporary%\<random string>.tft
%System%\<random string>.exe
%All Drives%\Recycled\<random string>.exe
%Kazaa Downloads%\<random string>.exe

4. Adds the value:

Avril Lavigne - Muse

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that it runs when you start Windows.

If the operating system is Windows NT/2000/XP, the worm will register itself as a service.

5. Creates the registry key:

HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne

and various subkeys that the worm uses to keep track of its infection process.

6. Creates a non-malicious text file %Temporary%\Avril-ii.inf and other temporary files in the Windows Temporary folder.
7. Checks whether the computer is currently connected to a network. If it is not connected, the worm will attempt to dial out using the default dial-up connection profile.
8. Searches the Windows Address Book and files with the extensions .dbx, .mbx, .wab, .html, .eml, .htm, .tbb, .shtml, .nch, and .idx for the email addresses. Then, the worm sends the email messages with these characteristics:
Subject. The subject is one of the following:
Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Message. The message is one of the following:
Microsoft has identified a security vulnerability in Microsoft&reg; IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support:
Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
Attachment. The attachment is one of the following:
Resume.exe
Download.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
From. The worm uses the default SMTP server and user name for the "From:" address.

When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

9. As part of the email sending routine, the worm creates the temporary file %Temporary%\NewBoot.sys, which it (usually) deletes now.
10. Searches for the file Icqmapi.dll, by determining the path of the ICQ program files. If the worm finds this file, the worm copies it to the \Windows\System folder and sends itself to all the contacts in the ICQ contact list.
11. Creates a Script.ini file in the mIRC program files folder. This file will connect to the IRC channel #avrillavigne and send itself to others who join any channels that you join.
12. Inventories all the network resources searching for open C shares. If the worm finds an open C share, it copies itself to \Recycled\<random string>.exe on the remote system and modifies the Autoexec.bat file of the remote system to load the worm on startup, by adding the following line:
@win <random string>.exe
13. Copies itself to \Recycled\<random string>.exe on each local hard drive and modifies the Autoexec.bat file (adding the aforementioned line), so that the worm runs when you start Windows (on Windows 95/98/Me computers only).
14. Copies itself as a random file name to the KaZaA download folder.
15. If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.







Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


1. Restart the computer in Safe mode.
2. Remove the value that it added to the registry and restart in Normal mode.
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as W32.Lirva.A@mm.
For specific details on each of these procedures, read the following instructions.

1. Restarting in Safe mode
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

2. Removing the value from the registry
Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document, "How to make a backup of the Windows registry."


1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit, and then click OK. (The Registry Editor opens.)
3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

4. In the right pane, delete the value:

Avril Lavigne - Muse

5. Exit the Registry Editor.
6. Restart the computer and allow it to start in normal mode.

3. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate), in the "Protection" section, at the top of this writeup.
Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater), in the "Protection" section, at the top of this writeup.

The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

4. Scanning for and deleting the infected files

a. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
b. Run a full system scan.
c. If any files are detected as infected with W32.Lirva.A@mm, click Delete.






Write-up by: Atli Gudmundsson

This is what TrendMicro had to say about it:

WORM_LIRVA.C


Overview Technical Details Statistics



QUICK LINKS Solution

--------------------------------------------------------------------------------

Virus type: Worm

Destructive: No

Aliases: I-Worm.Avron.b, Win32/Naith.C@mm, W32.Lirva.C@mm, W32/Avril-B

Pattern file needed: 435

Scan engine needed: 5.200

Overall risk rating: Medium

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:

This memory-resident mass-mailing worm propagates via email, mapped network-shared drives, IRC, ICQ and KaZaA Peer-to-Peer file sharing. It arrives through email with the following details:

Subject: (any of the following)
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?

Message Body: (any of the following)

AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list.
Orginal Message:

Or

Network Associates weekly report:
Microsoft has identified a security vulnerability in MicrosoftIIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft Tech Support:

Or

AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

Or

Restricted area response team (RART)
Attachment you sent to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch

Attachment: (any of the following)
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe

It does not require the email receiver to open the attachment for it to execute. It uses a vulnerability in Internet Explorer-based email clients to execute the file attachment automatically, known as Automatic Execution of Embedded MIME type.

More information about this vulnerability is available at Microsoft’s Security Bulletin.

This malware also retrieves cached passwords and sends them to a specific email address and has the capability to terminate certain antivirus programs.

Upon execution, this malware may terminate the Explorer process, thus hiding the taskbar and desktop icons.

This malware has the capability to terminate certain antivirus processes.

On the 7th, 11th and 24th of every month, it opens the default browser to http://www.avril-lavigne.com and displays shapes and text message on screen.

The UPX-compressed worm runs on Windows 95, 98 and ME. The uncompressed file runs on Windows 95, 98, ME, NT, 2000 and XP.



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIRVA.C

ok so what do i have to do

Make sure you have updated Virus protection software!

Norton also has a removal tool available already

http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.removal.tool.html

NORTON DOES NOT HAVE AN UPDATE FIX FOR THIS YOU HAVE TO GET IT(removal tool) FROM NORTON IF YOU HAVE NORTON.

says it has not been found thanks for the info
got lucky this time-lol

REN I HAVE NORTON AND DONT HAVE THIS VIRUS IN MY DEFINITIONS YET(I HAVE DONE A LIVE UPDATE 3 TIMES SINCE GETTING THE WARNING) EMAIL ME REN [email protected]

Originally posted by CuteStuff
NORTON DOES NOT HAVE AN UPDATE FIX FOR THIS YOU HAVE TO GET IT(removal tool) FROM NORTON IF YOU HAVE NORTON.

Norton does have a fix that's the link I gave here's the direct link to the download. You don't need Norton to be able to download or use Norton's fixes, they provide them as a public service.:)

Obtaining and running the tool

IMPORTANT. Read the following Notes before you begin.
You must be logged in as Administrator to run this tool on Windows NT 4.0, Windows 2000, or Windows XP. If you are not sure how to do this, or if you do not have these rights, consult your network administrator or a computer consultant.

1. Download the FixLirva.exe file from: http://securityresponse.symantec.com/avcenter/FixLirva.exe.
2. Save the file to a convenient location, such as your downloads folder or the Windows desktop (or the removable media known to be uninfected).
3. To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
4. Close all the running programs before running the tool.
5. If you are on a network, or if you have a full-time connection to the Internet, disconnect the computer from the network and Internet.
6. If you are running Windows Me or XP, disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for additional details.

CAUTION: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.

7. Double-click the FixLirva.exe file to start the removal tool.
8. Click Start to begin the process, and then allow the tool to run.