Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Lirva
Technical name:W32/Lirva
Threat level:Low
Alias:W32.Lirva.A@mm, WORM_LIRVA.A, W32/Lirva.a@MM, W32/Naith

It ends processes belonging to antivirus programs and firewalls, among others.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:Jan. 7, 2003
Detection updated on:March 17, 2005
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 


Lirva is a worm that ends processes belonging to antivirus programs and firewalls, among others. This leaves the affected computer vulnerable to the attack of other malware.

This worm also searches for passwords in the affected computer. It sends the passwords stolen via e-mail.

Lirva spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, via IRC and ICQ and across shared network drives.

When Lirva spreads via e-mail, it is automatically activated when the e-mail message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.

Visible Symptoms 


Lirva is easy to recognize once it has affected the computer, as on the 7th, 11th and 24th of each month it opens the Internet browser and connects to the web page

Then it displays series of superimposed colored ellipses on screen and in the left corner of the screen, the following message is displayed:

AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg