We have reports of a new worm called W32/Lirva.C@mm which is in the wild, i.e., reported to be infecting a good number of computers. This worm is a variant of W32/Lirva.A@mm and resembles the original worm. It arrives as an attachment through email and can sometimes run automatically on computers running a vulnerable version of Internet Explorer. To run automatically, this worm randomly uses the "Malformed MIME header" vulnerability in Internet Explorer. It also tries to spread through ICQ, IRC and KaZaa and contains a Password-Stealer as payload.
You can find more information about this vulnerability at
http://www.gfi.com/emailsecuritytest/faq.htm#mime
To test your email client for this vulnerability also check
http://www.gfi.com/emailsecuritytest/
and select the "MIME header vulnerability test".
Subject line:
The subject of the e-mail will be one of the below
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement'
Re: Ha perduto qualque cosa signora?'
Message body:
The body of the e-mail will be one of the below
AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:
or
Restricted area response team (RART)
Attachment you sent to recipient adress is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
or
Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.
or
AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>
Attachment filename:
Various - can be exe and scr.
If the user runs the executable or is using an unpatched version of Internet Explorer, the worm will send messages to people using the user's Outlook Address Book as the source as well as other sources such as DBX, EML, HTM, HTML, IDX, MBX, NCH, SHTML, TBB and WAB files from disk to send infected e-mails. Lirva will also use its own SMTP routines for propagation.
Severity:
Attempts to disable antivirus and firewall software, and download a backdoor trojan.
Avoidance Action:
Make sure your virus definition files are up to date. Block all incoming and outgoing EXE.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/virus_info/w32_lirva_c_mm.shtml
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=119
http://vil.nai.com/vil/content/v_99953.htm
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, and Adelaide which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
