Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||W32.Lirva.A@mm, WORM_LIRVA.A, W32/Lirva.a@MM, W32/Naith|
It ends processes belonging to antivirus programs and firewalls, among others.
|First detected on:||Jan. 7, 2003|
|Detection updated on:||March 17, 2005|
|Yes, using TruPrevent Technologies
Lirva is a worm that ends processes belonging to antivirus programs and firewalls, among others. This leaves the affected computer vulnerable to the attack of other malware.
This worm also searches for passwords in the affected computer. It sends the passwords stolen via e-mail.
Lirva spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, via IRC and ICQ and across shared network drives.
When Lirva spreads via e-mail, it is automatically activated when the e-mail message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.
Lirva is easy to recognize once it has affected the computer, as on the 7th, 11th and 24th of each month it opens the Internet browser and connects to the web page http://www.avril-lavigne.com.
Then it displays series of superimposed colored ellipses on screen and in the left corner of the screen, the following message is displayed:
AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg