LIRVA virus
-
Upload
mark-fisher -
Category
Documents
-
view
214 -
download
1
Transcript of LIRVA virus
Mark Fisher
Technical manager, Trend Micro
2003 has so far been a busy year for viruswriters. In January alone, we saw the launch ofthree significant threats. SQL Slammer grabbedthe headlines, but also, notably, in the middleof the month LIRVA was launched. The wormuses the teenage punk singer, Avril Lavigne tolure recipients into opening emails.
The worm is received in an attachment offeringspecial access to Avril Lavigne’s website. Insome cases the attachment also claims to be aMicrosoft IIS security patch.
The worm copies itself on to the hard drive andin to the systems folder — from here it searchesfor the antivirus software and disables it.
Lirva then emails itself to all addresses in theWindows address book using its own SMTPengine. The payload will open a web page toAvril Lavigne’s website every 7th, 11th and24th of the month.
The users PC screen will display‘AVRIL_LAVIGNE_LET_GO - MY_MUSE:)2002 (c) Otto von Gutenberg’ in the top leftcorner. The payload also emails passwords to anoverseas account.
This mass-mailing worm propagates via email,mapped network-shared drives, IRC, ICQ andKaZaA Peer-to-Peer file sharing. It arrivesthrough email with the following details:
Subject: (any of the following) Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge’s Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach(TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Securitybreach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don’t miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky “Crime and Punishment”
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
Body: (any of the following) AVRIL LAVIGNE - THE BEST
Avril Lavigne’s popularity increases:
SO: First, Vote on TRL for I’m With U!
Next, Update your pics database!
Chart attack active list.
Original Message:
Or
Network Associates weekly report:
Microsoft has identified a security vulnerability inMicrosoftIIS 4.0 and 5.0 that is eliminated by apreviously-released patch.
Customers who have applied that patch arealready protected against the vulnerability and donot need to take additional action.
Microsoft strongly urges all customers using IIS 4.0and 5.0 who have not already done so to apply thepatch immediately.
Patch is also provided to subscribed list ofMicrosoft Tech Support:
Or
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
LIRVA virus
0167-4048/03 ©2003 Elsevier Science Ltd 41
Vote fo4r Sk8er Boi!
Vote fo4r I’m with you!
Chart attack active list:
Attachment: (any of thefollowing)
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
It does not require the email receiver to openthe attachment for it to execute. It uses avulnerability in Internet Explorer-based emailclients to execute the file attachmentautomatically, known as Automatic Executionof Embedded MIME type.
This malware also retrieves cached passwordsand sends them to a specific email address andhas the capability to terminate certain antivirusprograms.
The worm runs on Windows 95, 98, NT, 2000,XP, and ME.
42
LIRVA virus
Mark Fisher
Trend Micro Top 10 Worldwide Viruslistings for the past 30 days:
1) PE FUNLOVE.4099 499,610 2) WORM KLEZ.H 278,0183) PE ELKERN.D 118,8844) WORM YAHA.G 100,6205) WORM YAHA.K 81,1666) PE NIMDA.A-O 79,1787) PE NIMDA.E 71,0498) PE NIMDA.A 65,4999) JS NOCLOSE.E 40,763
10) WORM BUGBEAR.A 30,262