You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lirva

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Lirva carries out the following actions:

  • It ends several processes in affected computers related to antivirus and firewall programs, among others, if they are active. The processes it terminates are:

    _AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ANTI-TROJAN.EXE, APVXDWIN.EXE, AUTODOWN.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCTRL.EXE, AVKSERV.EXE, AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPMON.EXE, VPNT.EXE, AVPTC32.EXE, AVPUPD.EXE, AVSCHED32.EXE, AVWIN95.EXE, AVWUPD32.EXE, BLACKD.EXE, BLACKICE.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFIND.EXE, CLAW95.EXE, CLAW95CT.EXE, CLEANER.EXE, CLEANER3.EXE, DV95.EXE, DV95_O.EXE, DVP95.EXE, ECENGINE.EXE, EFINET32.EXE, ESAFE.EXE, ESPWATCH.EXE, F-AGNT95.EXE, FINDVIRU.EXE, FPROT.EXE, F-PROT.EXE, F-PROT95.EXE, FP-WIN.EXE, FRW.EXE, F-STOPW.EXE, IAMAPP.EXE, IAMSERV.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMOON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, IFACE.EXE, IOMON98.EXE, JED.EXE, KPF.EXE, KPFW32.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LUALL.EXE, MOOLIVE.EXE, MPFTRAY.EXE, N32SCAN.EXE, NAVAPW32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSCHED.EXE, NAVW.EXE, NAVW32.EXE, NAVWNT.EXE, NISUM.EXE, NMAIN.EXE, NORMIST.EXE, NUPGRADE.EXE, NVC95.EXE, OUTPOST.EXE, PADMIN.EXE, PAVCL.EXE, PCCWIN98.EXE, PCFWALLICON.EXE, PERSFW.EXE, RAV7.EXE, RAV7WIN.EXE, RESCUE.EXE, SAFEWEB.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SERV95.EXE, SMC.EXE, SPHINX.EXE, SWEEP95.EXE, TBSCAN.EXE, TCA.EXE, TDS2-98.EXE, TDS2-NT.EXE, VET95.EXE, VETTRAY.EXE, VSECOMR.EXE, VSHWIN32.EXE, VSSCAN40.EXE, VSSTAT.EXE, WEBSCAN.EXE, WEBSCANX.EXE, WFINDV32.EXE and ZONEALARM.EXE.

    This leaves the affected computer vulnerable to the attack of other malware.
  • It also looks for processes that contain the following text strings in order to finish them:

    Anti, anti, AVP, McAfee, Norton, virus and Virus.
  • It searches for passwords in the affected computer. It sends the passwords stolen via e-mail.
  • On the 7th, 11th and 24th of each month it opens the Internet browser and connects to a web page. Then it displays series of superimposed colored ellipses on screen and in the upper left corner of the screen, a message is displayed:

    AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg

Infection strategy 

Lirva creates the following files, which are copies of the worm:

  • MSO-PATCH-0035.EXE in the root directory of the hard drive.
  • COGITO_ERGO_SUM.EXE and CERT-VULN-INFO.EXE in the Windows temporary directory.
  • A file with a random name and a TFT extension in the Windows temporary directory.
  • A file with a random name in the Windows system directory.

Lirva also creates the following files:

  • LISTRECP.DLL in the Windows directory. This file is a DLL (Dynamic Link Library).
  • AVRIL-II.INF in the Windows temporary directory.

If the chat application IRC is installed on the affected computer, Lirva modifies the fileSCRIPT.INI. By doing this, it can spread through this program.

Lirva creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Avril Lavigne - Muse = %sysdir%\ %file%.exe
    where %sysdir% is the Windows system directory, and %file% is the random name of the copy of the worm created in that directory.
    By creating this entry, Lirva ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ Software\ OvG\ Avril Lavigne
    Done
    Lirva uses this entry as an infection mark, in order to check if the computer has been already affected.

Means of transmission 

Lirva spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, via IRC and ICQ and across shared network drives.

1.- Transmission via e-mail.

  • Lirva spreads in an e-mail message with variable characteristics:

    Subject: one of the following:
    Fw: Avril Lavigne - the best
    Fw: Prohibited customers...
    Fwd: Re: Admission procedure
    Fwd: Re: Reply on account for Incorrect MIME-header
    Re: According to Daos Summit
    Re: ACTR/ACCELS Transcriptions
    Re: Brigade Ocho Free membership
    Re: Reply on account for IFRAME-Security breach
    Re: Reply on account for IIS-Security
    Re: The real estate plunger

    Message: one of the following:
    To prevent from the further buffer overflow attacks apply the MSO-patch Attachment you sent to <e-mail address of the sender> is intended to overwrite start address at 0000:HH4F Restricted area response team (RART)
    Patch is also provided to subscribed list of Microsoft® Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0

    Admission form attached below
    Vote for I'm with you!
    FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
    Avril fans subscription

    Attachments: one of the following:
    AVRILLAVIGNE.EXE
    AVRILSMILES.EXE
    CERT-VULN-INFO.EXE
    COGITO_ERGO_SUM.EXE
    COMPLICATED.EXE
    DOWNLOAD.EXE
    IAMWITHYOU.EXE
    MSO-PATCH-0035.EXE
    MSO-PATCH-0071.EXE
    README.EXE
    RESUME.EXE
    SINGLES.EXE
    SK8ERBOI.EXE
    SOPHOS.EXE
    TRANSCRIPTS.EXE
    TWO-UP-SECRETLY.EXE
  • The computer is affected when the attached file is run, or when the e-mail message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
  • Lirva searches for e-mail addresses in files that have the following extensions: MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH and IDX.

 

2.- Transmission through KaZaA.

Lirva follows the routine below:

  • It creates creates a copy of itself under a random name in the shared directory of KaZaA.
  • Other users of this program can access the shared directory and download that file to their computers, thinking that it is an interesting computer programs. However, these users will actually download a copy of the worm.
  • When the downloaded file is run, these computers will be affected by Lirva.

 

3.- Transmission via IRC and ICQ.

Lirva follows the routine below:

  • It looks for the file ICQMAPI.DLL and copies it to the Windows system directory.
  • Then it sends itself to all the contacts in ICQ.
  • In addition, when the user connects to an IRC channel, Lirva sends out a copy of itself to all the users connected to that channel at the moment.

 

4.- Transmission across shared network drives.

Lirva follows the routine below in order to spread across a network:

  • If the affected computer belongs to a network, Lirva creates a copy of itself under a random name in the Recycle Bin in all the mapped network drives.
  • Then, it modifies the AUTOEXEC.BAT file, adding the following line:
    @win %file%.exe
    where %file% is the random name of the file it has created before.
  • By doing this, the worm ensures that it is run the next time the remote computer is started.

Further Details  

Lirva is written in the programming language Visual C++ v6.0. This worm is 32,766 bytes in size when it is compressed with UPX and 77,824 bytes once it is decompressed.