The New Year is barely a week old and two new worms have already surfaced to cause headaches. Lirva-A uses interest in Canadian pop singer Avril Lavigne to spread. The other, ExploreZip.E, is a variant of a worm that first surfaced three and a half years ago.
Lirva, which has at least two variants flowing about, surfaced Tuesday but has slowly gained momentum. For example, at the day's end Tuesday it was 11th on MessageLabs' threat list. By yesterday, it was fifth. This morning, it was fourth behind Klez and variants of Yaha. In total, the Gloucester, England-based e-mail scanning outsourcer had intercepted 13,484 copies of the worm as of 11 a.m. EST today.
Lirva's progress, however, will likely be limited. Its high profile has meant that a lot of people know about it and have updated their antivirus scanners. But more important, it travels as an executable. "We have seen this a lot lately. Executables get a quick jump out of the gate but don't really go anywhere," said Vincent Gullotto, vice president of McAfee AVERT. Many companies strip executables automatically so antivirus scanners "don't even see the file," he said.
ExploreZip.E has experienced far less traction so far. ExploreZip.E is an e-mail worm that uses Microsoft Outlook to spread. It targets all the unread messages in a user's inbox and sends an infected reply to each sender, so the subject lines are legitimate. Machines without Outlook can still be infected. The message has the following
"I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. "
ExploreZip.E can be destructive. When executed, it searches all drives, looking for files with the following extensions: .c, .cpp, .h, .asm, .doc, .xls and .ppt. It then overwrites them with a zero byte count. This cycle is repeated every 30 minutes.
The worm is technically very similar to ExploreZip.A, which surfaced in June 1999. The difference is that ExploreZip.E is packed differently, which has allowed it to slip by some antivirus scanners, Gullotto said. So far, McAfee has seen only a few reports of it, mostly from the energy sector.
Using packers to modify the source code of viruses is nothing new. Trojan horse writers often use the technique, but worm writers are starting to employ it as well, Gullotto said. In ExploreZip.E's case, the writer modified the packer, which made it even harder to detect.
Lirva's success isn't so complicated
The timing of Lirva was perfect. On Tuesday, it was announced that Lavigne had been nominated for five Grammy awards, tied for the most nominations with veterans Bruce Springsteen and Sheryl Crow. (The worm's name comes from "Avril" spelt backwards. Antivirus companies often invert names so as not to give recognition to the worm writer.)
Lirva is a mass mailer, but it can also spread itself to ICQ users and via mIRC. When a system is infected, it tries to shut off antivirus programs, potentially opening the door to infection from other viruses and worms. Antivirus companies have several different names for it, including Avron and Naith.
Lirva arrives with one of the following subject lines:
- Fw: Avril Lavigne - the best
- Fw: Prohibited customers...
- Fwd: Re: Admission procedure
- Fwd: Re: Reply on account for Incorrect MIME-header
- Re: According to Daos Summit
- Re: ACTR/ACCELS Transcriptions
- Re: Brigade Ocho Free membership
- Re: Reply on account for IFRAME-Security breach
- Re: Reply on account for IIS-Security
- Re: The real estate plunger
The attached virus is named one of the following:
Like Klez and other recent high profile worms, Lirva exploits a similar vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express that would allow the attachment to run even if it's not opened.
When infecting a system, Lirva searches the Outlook "Sent Items" and "Inbox" folders for e-mail addresses. It also looks for addresses in the Windows address book and on the local disk.
In addition to spreading, Lirva drops a copy of itself into the Kazaa folder on infected systems, if the user has one. Kazaa is a popular music- and file-sharing program. The worm also tries to turn off antivirus products.
On the 7th, 11th and 24th of any month, Lirva also launches Microsoft Internet Explorer to www.avril-lavigne.com, the Web site of the worm's namesake. Lavigne joins a long line of celebrities who have received the bittersweet honor of having a virus named after them. Last year, malicious code used interest in Britney Spears and Colombian pop singer Shakira to spread.
FOR MORE INFORMATION:
Feedback on this story? Send your comments to News Writer Edward Hurley