You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Lirva

Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Lirva
Technical name:W32/Lirva
Threat level:Low
Alias:W32.Lirva.A@mm, WORM_LIRVA.A, W32/Lirva.a@MM, W32/Naith
Type:Worm
Effects:  

It ends processes belonging to antivirus programs and firewalls, among others.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:Jan. 7, 2003
Detection updated on:March 17, 2005
StatisticsNo
Yes, using TruPrevent Technologies

Brief Description 

    

Lirva is a worm that ends processes belonging to antivirus programs and firewalls, among others. This leaves the affected computer vulnerable to the attack of other malware.

This worm also searches for passwords in the affected computer. It sends the passwords stolen via e-mail.

Lirva spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA, via IRC and ICQ and across shared network drives.

When Lirva spreads via e-mail, it is automatically activated when the e-mail message is viewed through Outlook's Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.

Visible Symptoms 

    

Lirva is easy to recognize once it has affected the computer, as on the 7th, 11th and 24th of each month it opens the Internet browser and connects to the web page http://www.avril-lavigne.com.

Then it displays series of superimposed colored ellipses on screen and in the left corner of the screen, the following message is displayed:

AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg