Mark Fisher

Technical manager, Trend Micro

2003 has so far been a busy year for viruswriters. In January alone, we saw the launch ofthree significant threats. SQL Slammer grabbedthe headlines, but also, notably, in the middleof the month LIRVA was launched. The wormuses the teenage punk singer, Avril Lavigne tolure recipients into opening emails.

The worm is received in an attachment offeringspecial access to Avril Lavigne’s website. Insome cases the attachment also claims to be aMicrosoft IIS security patch.

The worm copies itself on to the hard drive andin to the systems folder — from here it searchesfor the antivirus software and disables it.

Lirva then emails itself to all addresses in theWindows address book using its own SMTPengine. The payload will open a web page toAvril Lavigne’s website every 7th, 11th and24th of the month.

The users PC screen will display‘AVRIL_LAVIGNE_LET_GO - MY_MUSE:)2002 (c) Otto von Gutenberg’ in the top leftcorner. The payload also emails passwords to anoverseas account.

This mass-mailing worm propagates via email,mapped network-shared drives, IRC, ICQ andKaZaA Peer-to-Peer file sharing. It arrivesthrough email with the following details:

Subject: (any of the following) Fw: Redirection error notification

Re: Brigada Ocho Free membership

Re: According to Purge’s Statement

Fw: Avril Lavigne - CHART ATTACK!

Re: Reply on account for IIS-Security Breach(TFTP)

Re: ACTR/ACCELS Transcriptions

Re: IREX admits you to take in FSAU 2003

Fwd: Re: Have U requested Avril Lavigne bio?

Re: Reply on account for IFRAME-Securitybreach

Fwd: Re: Reply on account for Incorrect MIME-header

Re: Vote seniors masters - don’t miss it!

Fwd: RFC-0245 Specification requested...

Fwd: RFC-0841 Specification requested...

Fw: F. M. Dostoyevsky “Crime and Punishment”

Re: Junior Achievement

Re: Ha perduto qualque cosa signora?

Body: (any of the following) AVRIL LAVIGNE - THE BEST

Avril Lavigne’s popularity increases:

SO: First, Vote on TRL for I’m With U!

Next, Update your pics database!

Chart attack active list.

Original Message:

Or

Network Associates weekly report:

Microsoft has identified a security vulnerability inMicrosoftIIS 4.0 and 5.0 that is eliminated by apreviously-released patch.

Customers who have applied that patch arealready protected against the vulnerability and donot need to take additional action.

Microsoft strongly urges all customers using IIS 4.0and 5.0 who have not already done so to apply thepatch immediately.

Patch is also provided to subscribed list ofMicrosoft Tech Support:

Or

AVRIL LAVIGNE - THE CHART ATTACK!

Vote fo4r Complicated!

LIRVA virus

0167-4048/03 ©2003 Elsevier Science Ltd 41

Vote fo4r Sk8er Boi!

Vote fo4r I’m with you!

Chart attack active list:

Attachment: (any of thefollowing)

Resume.exe

ADialer.exe

MSO-Patch-0071.exe

MSO-Patch-0035.exe

Two-Up-Secretly.exe

Transcripts.exe

Readme.exe

AvrilSmiles.exe

AvrilLavigne.exe

Complicated.exe

TrickerTape.exe

Sophos.exe

Cogito_Ergo_Sum.exe

CERT-Vuln-Info.exe

Sk8erBoi.exe

IAmWiThYoU.exe

Phantom.exe

EntradoDePer.exe

SiamoDiTe.exe

BioData.exe

ALavigne.exe

It does not require the email receiver to openthe attachment for it to execute. It uses avulnerability in Internet Explorer-based emailclients to execute the file attachmentautomatically, known as Automatic Executionof Embedded MIME type.

This malware also retrieves cached passwordsand sends them to a specific email address andhas the capability to terminate certain antivirusprograms.

The worm runs on Windows 95, 98, NT, 2000,XP, and ME.

42

LIRVA virus

Mark Fisher

Trend Micro Top 10 Worldwide Viruslistings for the past 30 days:

1) PE FUNLOVE.4099 499,610 2) WORM KLEZ.H 278,0183) PE ELKERN.D 118,8844) WORM YAHA.G 100,6205) WORM YAHA.K 81,1666) PE NIMDA.A-O 79,1787) PE NIMDA.E 71,0498) PE NIMDA.A 65,4999) JS NOCLOSE.E 40,763

10) WORM BUGBEAR.A 30,262