W32/Lirva.B Worm

 Information about the W32/Lirva.B worm:

W32/Lirva.B is a worm, which infects Windows systems. It is a variant of W32/Lirva.A. The worm spreads through email, shared network drives, ICQ, IRC and KaZaA P2P software.

The worm arrives with a subject chosen from a list, which is maintained by the worm.

The content of the mail may carry will be any one from the following sets;

Set 1

AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases: SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list. Orginal Message:

Set 2

Network Associates weekly report:
Microsoft has identified a security vulnerability in MicrosoftIIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft Tech Support:

Set 3

AVRIL LAVIGNE - THE CHART ATTACK! Vote fo4r Complicated! Vote fo4r Sk8er Boi! Vote fo4r I'm with you! Chart attack active list:

Set 4

Restricted area response team (RART) Attachment you sent to is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch "

The mail contains an infected attachment, name of the attachment will be chosen from a list of filenames.

Upon execution of the infected attachment, it copies itself with hidden attributes, in the root of C: drive and to the Windows temp folder, with EXE and TFT extensions. It also copies itself under Windows System folder with a random file name chosen by the worm.

It modifies the registry at the following location to load itself during the next startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The worm drops a text file AVRIL-II.INF under Windows temp folder.

After this using its own SMTP engine, the worm mails itself to all email addresses found under MBX, EML, HTM, WAB, NCH, HTML, TBB, SHTML, DBX and IDX extension files. In the network shared drive, it copies itself to \RECYCLED folder and modifies the AUTOEXEC.BAT of the target system to load itself during the next startup. If ICQ is installed it sends itself to all the contacts found under contact list. This worm spreads under mIRC by altering SCRIPT.INI. It also spreads under KaZaA P2P environment, by copying itself to KaZaA download folder.

It carries a payload. On 7th, 11th and 24th of every month, the worm displays horizontal and vertical elliptical shapes on the desktop. It also displays the following string;

AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (C)Otto von Gutenberg

on the upper portion of the screen. The worm tries to remove background processes of major antivirus software installed in the infected computer. It also mails the login information of the local computer's dial-up account to the virus writer.

This worm first appeared on 8th January 2003.

 Other names of W32/Lirva.B worm:

This worm is also known as W32.Lirva.C@mm, Win32/Naith.C@mm, W32/Avril-B