||||
Symantec.com > Security Response > Threats and Risks > W32.Lirva.C@mm
PRINT THIS PAGE

W32.Lirva.C@mm

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: January 8, 2003
Updated: February 13, 2007 11:42:11 AM
Also Known As: Win32.Lirva.B [CA], W32/Avril-B [Sophos], WORM_LIRVA.C [Trend], I-Worm.Avron.b [KAV], W32/Lirva.c@MM [McAfee]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References: CVE-2001-0154


NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 as of February 28, 2003.

W32.Lirva.C@mm is a mass-mailing worm that also spreads by IRC, ICQ, KaZaA, and open network shares. It is a variant of W32.Lirva.A@mm. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer.

The worm connects to a Web site on web.host.kz/ and downloads BackOrifice, which it executes. W32.Lirva.C@mm also attempts to download another file, which is currently not present on the Web site.

When Microsoft Outlook receives the worm, it takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.




As with many other worms, this worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

Protection

  • Initial Rapid Release version January 8, 2003
  • Latest Rapid Release version February 21, 2009 revision 038
  • Initial Daily Certified version January 8, 2003
  • Latest Daily Certified version February 22, 2009 revision 003
  • Initial Weekly Certified release date January 9, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High

Writeup By: Eric Chien
Search by name
Example: W32.Beagle.AG@mm
Learn more about Zero-Day / Operation Aurora / Hydraq
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS