Warning: Three new virus worms on the loose

Link: Festive virus threat in the air

‘Lirva A’ lures its victims with Canadian teen skate punk singer Avril Lavigne as the bait.

The worm arrives as a .exe attachment in an email claiming to offer special access to the singer’s website. In some cases the attachment also claims to be a Microsoft IIS security patch.

Once activated the worm copies itself into the system folder and searches for antivirus software and shuts it down.

It then leaves copies of itself on the hard drive, and on Kazaa file sharing software if present.

Lirva A then emails itself to all addresses in the Windows address book using its own SMTP engine. It is also capable of sending itself to ICQ users and spreading via mIRC.

The payload opens a web page to Avril Lavigne’s website every 7th, 11th and 24th of the month.

It displays a pattern of ellipses on the PC screen, and the message ‘AVRIL_LAVIGNE_LET_GO – MY_MUSE:) 2002 (c) Otto von Gutenberg’ is displayed in the top left corner. It also emails passwords to an overseas account.

However, a new variant has already been released. ‘Lirva C’ is sufficiently different to avoid any antivirus software, although the payload remains the same.

‘This variant is spreading so fast it’s around the world already,” said Raimund Genes, president of operations at Trend Micro.

‘Like Klez it attacks the anti-viral software and in some cases can even shut down protection while leaving the icon visible in the system tray.’

The third worm is far less common but has a far more malicious payload.

Once ‘ExploreZip.E’ gets onto a PC it emails itself out as an attachment in a reply to all read and unread emails in Microsoft Outlook, asking the recipient to read the figures contained in what looks like a standard WinZip file.

Once the mails are sent the worm then overwrites all Microsoft Word, Excel and Powerpoint files on a PC and reduces their size to 0KB.

This make recovery of the information without back-ups very difficult, more so than if the files were simply deleted.

‘We’re keeping a close eye on it as it is so virulent,’ said Jason Holloway, UK manager at F-Secure UK.

‘It’s very well designed to spread across a whole network and, once it gets into a large corporate network, everything gets a copy.’

Related reading

HMRC banknotes