Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lirva.C

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Lirva.C has the following effects:

  • It ends the following processes belonging to antivirus programs, among others, if they are active:
    _AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ANTI-TROJAN.EXE, APVXDWIN.EXE, AUTODOWN.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCTRL.EXE, AVKSERV.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPMON.EXE, AVPNT.EXE, AVPTC32.EXE, AVPUPD.EXE, AVSCHED32.EXE, AVWIN95.EXE, AVWUPD32.EXE, BLACKD.EXE, BLACKICE.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFIND.EXE, CLAW95.EXE, CLAW95CT.EXE, CLEANER.EXE, CLEANER3.EXE, DV95.EXE, DV95_O.EXE, DVP95.EXE, ECENGINE.EXE, EFINET32.EXE, ESAFE.EXE, ESPWATCH.EXE, F-AGNT95.EXE, FINDVIRU.EXE, FPROT.EXE, F-PROT.EXE, F-PROT95.EXE, FP-WIN.EXE, FRW.EXE, F-STOPW.EXE, IAMAPP.EXE, IAMSERV.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMOON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, IFACE.EXE, IOMON98.EXE, JED.EXE, KPF.EXE, KPFW32.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LUALL.EXE, MOOLIVE.EXE, MPFTRAY.EXE, N32SCAN.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSCHED.EXE, NAVW.EXE, NAVW32.EXE, NAVWNT.EXE, NISUM.EXE, NMAIN.EXE, NORMIST.EXE, NUPGRADE.EXE, NVC95.EXE, OUTPOST.EXE, PADMIN.EXE, PAVCL.EXE, PCCWIN98.EXE, PCFWALLICON.EXE, PERSFW.EXE, RAV7.EXE, RAV7WIN.EXE, RESCUE.EXE, SAFEWEB.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SERV95.EXE, SMC.EXE, SPHINX.EXE, SWEEP95.EXE, TBSCAN.EXE, TCA.EXE, TDS2-98.EXE, TDS2-NT.EXE, VET95.EXE, VETTRAY.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSSCAN40.EXE, VSSTAT.EXE, WEBSCAN.EXE, WEBSCANX.EXE, WFINDV32.EXE and ZONEALARM.EXE.
  • It also looks for processes containing the following text strings in order to end them: Anti, anti, AVP, McAfee, Norton, virus and Virus.
  • The worm also collects passwords from the computers it affects and sends them to a certain address via e-mail.
  • Lirva.C connects to the server web.host.kz/ and tries to download three files: AVRIL.EXE, BO2K.EXE and BO2K_UPX.EXE. The last two files belong to the backdoor type Trojan BackOrifice. However, these files are not available on this server at the moment.
  • On the 7th, 11th and 24th of every month, Lirva.C launches the browser Internet Explorer and connects to the web page http://www.avril-lavigne.com. Then it displays several colored ellipses on screen and the message "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) VOTE FOR I’m With YoU" on the top left corner of the screen.

Infection strategy 

Lirva.C creates the following files:

  • A file in the root directory of the hard drive under one of the following names:
    RESUME.EXE, ADIALER.EXE, MSO-PATCH-0071.EXE, MSO-PATCH-0035.EXE, TWO-UP-SECRETLY.EXE, TRANSCRIPTS.EXE, README.EXE, AVRILSMILES.EXE, AVRILLAVIGNE.EXE, COMPLICATED.EXE, TRICKERTAPE.EXE, SINGLES.EXE, SOPHOS.EXE, COGITO_ERGO_SUM.EXE, CERT-VULN-INFO.EXE, SK8ERBOI.EXE, IAMWITHYOU.EXE, PHANTOM.EXE, ENTRADODEPER.EXE, SIAMODITE.EXE, BIODATA.EXE or ALAVIGNE.EXE. This file is a copy of the worm.
  • A file in the Windows system directory under a name generated at random with 11 characters. This file is a copy of the worm.
  • It inserts three files in the Windows temporary directory: one with a random name that is 8 characters long and a TFT extension, and the other two with one of the following names:

    RESUME.EXE, ADIALER.EXE, MSO-PATCH-0071.EXE, MSO-PATCH-0035.EXE, TWO-UP-SECRETLY.EXE, TRANSCRIPTS.EXE, README.EXE, AVRILSMILES.EXE, AVRILLAVIGNE.EXE, COMPLICATED.EXE, TRICKERTAPE.EXE, SINGLES.EXE, SOPHOS.EXE, COGITO_ERGO_SUM.EXE, CERT-VULN-INFO.EXE, SK8ERBOI.EXE, IAMWITHYOU.EXE, PHANTOM.EXE, ENTRADODEPER.EXE, SIAMODITE.EXE, BIODATA.EXE or ALAVIGNE.EXE.
  • LISTRECP.DLL in the Windows directory.
  • AVRIL-II.INF in the Windows temporary directory.
  • A file with a random name that is 8 character long in the directories in which the files INDEX.HTML or EFAULT.HTML are stored. It also inserts a script in these directories so that when these files are run, the copy of the worm is also run.

If the chat application IRC is installed on the affected computer, Lirva.C modifies the file SCRIPT.INI. By doing so, it can spread through this program.

Lirva.C creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Avril Lavigne - Muse = C:\ Windows\ system\ file_name.exe
    where file_name.exe is the name of the file that Lirva.C has copied, under a random name, in the Windows system directory.
    By creating this entry, Lirva.C ensures it is run whenever Windows is started.

Lirva.C can automatically affect computers in the following ways:

  • When the e-mail message carrying the worm is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5).
  • When the file carrying the worm is opened or executed.

Means of transmission 

Lirva.C uses different means of transmission to reach computers: e-mail, the peer to peer (P2P) file sharing program KaZaA, the chat programs applications IRC and ICQ and shared network drives.

1. Transmission via e-mail.

Lirva.C follows the routine below:

  • It reaches the computer in an e-mail message with variable characteristics:

    Subject: one of the following:

    Fw: Avril Lavigne - CHART ATTACK!
    Fw: F. M. Dostoyevsky "Crime and Punishment"
    Fw: Redirection error notification
    Fwd: Re: Have U requested Avril Lavigne bio?
    Fwd: Re: Reply on account for Incorrect MIME-header
    Fwd: RFC-0245 Specification requested...
    Fwd: RFC-0841 Specification requested...
    Re: According to Purge's Statement
    Re: ACTR/ACCELS Transcriptions
    Re: Brigada Ocho Free membership
    Re: Ha perduto qualque cosa signora?
    Re: IREX admits you to take in FSAU 2003
    Re: Junior Achievement
    Re: Reply on account for IFRAME-Security breach
    Re: Reply on account for IIS-Security Breach (TFTP)
    Re: Vote seniors masters - don't miss it!

  • Message: one of the following:
    Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date

    Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch

    Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below

    Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!

    AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list .>.>
  • Attachments: one of the following:
    ADIALER.EXE
    ALAVIGNE.EXE
    AVRILLAVIGNE.EXE
    AVRILSMILES.EXE
    BIODATA.EXE
    CERT-VULN-INFO.EXE
    COGITO_ERGO_SUM.EXE
    COMPLICATED.EXE
    ENTRADODEPER.EXE
    IAMWITHYOU.EXE
    MSO-PATCH-0035.EXE
    MSO-PATCH-0071.EXE
    PHANTOM.EXE
    README.EXE
    RESUME.EXE
    SIAMODITE.EXE
    SINGLES.EXE
    SK8ERBOI.EXE
    SOPHOS.EXE
    TRANSCRIPTS.EXE
    TRICKERTAPE.EXE
    TWO-UP-SECRETLY.EXE
    The attached file may also be a file generated at random with a DOC or TXT extension.
  • Lirva.C looks for addresses in files with the extensions DBX, EML, HTM, HTML, IDX, MBX, NCH, SHTML, TBB, and WAB.
  • Lirva.C sends itself out to all the addresses it has gathered and to all the contacts in the Outlook's Address Book.

2. Transmission through KaZaA.

Lirva.C follows the routine below:

  • Lirva.C creates a copy of itself under a random name in the shared directory in this application.
  • Other users of this program can access the shared directory. These users can then download these files to their computers, thinking that they are useful computer programs, movies, etc. However, these users will actually download a copy of the worm.
  • When the file is downloaded, those computers will also be affected by Lirva.C.

3. Transmission via ICQ.

Lirva.C follows the routine below:

  • It looks for the file ICQMAPI.DLL and copies it to the Windows system directory.
  • Then it sends itself to the list of contacts in ICQ.

4. Transmission across shared network drives.

Lirva.C follows the routine below:

  • It inserts a copy of itself under a random name in the Recycle Bin of the mapped network drive.
  • It modifies the file AUTOEXEC.BAT, by adding the line @win <random_file_name>.exe.
    By doing this, the worm ensures it is run the next time the computer is started.

Further Details  

Lirva.C is written in the programming language MS Visual C++, version 6.0. The worm is 34,815 bytes in size when compressed with UPX, and 81,920 bytes once it is decompressed.