New worm spreads via multiple channels
The Star - Saturday, 11 January 2003
Back to index
By M. MADHAVAN

PETALING JAYA: Trend Micro Inc has issued an alert on a worm that surfaced last week, WORM_LIRVA.C, which spreads via popular instant messenger software, ICQ; Internet Relay Chat (IRC) software, mIRC; and peer-to-peer filesharing software, Kazaa

Also identified as Win32.Lirva.B, W32/Avril-B and W32.Lirva.C@mm, the virus is a mass-mailing worm that also spreads via network-shared folders. 

"The virus is dangerous because it has multiple means of propagating itself, besides just e-mailing copies of itself to people on the infected user's address book," said Chin Fang Fang, Trend Micro technical consultant. 

According to the Japan-based antivirus and content security company, whenever the victim launches ICQ, the virus will send a copy of itself to the ICQ contacts of the infected user. 

If the infected user has mIRC, the virus will automatically log the user onto the IRC channel "#avrillavigne" when connecting to an IRC server, and will send a copy of itself to other users who join the affected userís current channel, she said. 

"Besides that, the worm also attempts to terminate antivirus and firewall products and might make the infected user's computer more susceptible to other viruses," Chin said. 

Another major security threat is that the worm connects to a Kazakhstan website web.host.kz and downloads BackOrifice, which it executes, she said. 

BackOrifice allows the target computer to be monitored and controlled remotely, including executing any application on the target computer, logging its keystrokes, restarting the target computer, locking it and transferring files to and from it. 

WORM_LIRVA.C will also e-mail cached Windows 95/ 98/ ME dial-up networking passwords to an anonymous e-mail, Chin said. 

Like most worms, it also exploits a vulnerability in Internet Explorer-based e-mail clients to execute the file attachment carrying the worm automatically when an infected e-mail is read or previewed, she said. 

More info on the vulnerability and a patch can be found at www.microsoft.com/technet/security/bulletin/MS01-020.asp

"Users can easily protect themselves from the virus because most antivirus companies have already updated their virus definitions to detect and remove the virus," she said. 

The payload, which is executed on the 7th, 11th or 24th of the month, will launch the web browser and surf to www.avril-lavigne.com, the official website of young Canadian pop singer Avril Lavigne. 

The virus can only spread to system running Windows 95, 98, ME, NT, 2000 and XP operating systems. Non-Windows computers are safe.