Virus alert about the W32.Lirva.A@mm worm (812811)


The information in this article applies to:

  • Microsoft Outlook 2002
  • Microsoft Outlook 2000
  • Microsoft Outlook Express Version 6 for Windows 2000
  • Microsoft Outlook Express 6.0, when used with:
    • the operating system: Microsoft Windows Millennium Edition
  • Microsoft Outlook Express Version 6 for Windows 98
  • Microsoft Outlook Express Version 6 for Windows 98 Second Edition
  • Microsoft Outlook Express Version 6 for Windows NT 4.0

SUMMARY

W32.Lirva.A@mm is a new e-mail worm. The Microsoft Product Support Services Security team is issuing this alert to advise customers to be aware of this virus as it spreads in the wild. If you use best practices, such as filtering certain file types and applying security patches, you can prevent infection from this mass-mailer worm.

MORE INFORMATION

Impact of Attack

Mass-mailing, Termination of Antivirus Programs and Firewalls, and Compromise of Cached Passwords

Technical Details

W32.Lirva.A@mm is a new mass-mailer worm that also propagates through shares and peer-to-peer file-sharing applications. The W32.Lirva.A@mm worm arrives in an e-mail message with the following characteristics:

Note The contents vary; the following message is only one example.

Subject: Re: Reply on account for IFRAME-Security breach

Body:

Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified security vulnerability in Microsoft IIS 4.0 and 5.0. To prevent from the further buffer overflow attacks apply the MSO-patch.

Attachment (including, but not limited to): Resume.exe, AvrilLavigne.exe, AvrilSmiles.exe, CERT-Vuln-Info.exe, IAmWiThYoU.exe, MSO-Patch-0035.exe, MSO-Patch-0071.exe, Readme.exe, Singles.exe, Sophos.exe

The worm tries to exploit a previously patched vulnerability that exists in some versions of Microsoft Outlook, Microsoft Outlook Express, and Microsoft Internet Explorer. This vulnerability can be used to allow an executable attachment to run automatically, even if you do not double-click the attachment. For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

Upon execution, the worm tries to disable some antivirus and firewall applications that may be running on the computer. The worm also does one or more of the following:
  • Adds entries to the registry.
  • Copies itself to the system folder.
  • Sends itself to address book entries.
  • Collects cached passwords, and then sends them to the attacker
For more detailed information about the W32.Lirva.A@mm worm, contact your antivirus vendor.

Prevention

  1. Block potentially damaging attachment types at your Internet mail gateways.
  2. Because this virus uses a previously announced vulnerability as part of its infection method, make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

    To obtain the most recent cumulative security patch for Microsoft Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

  3. If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus (and the majority of other viruses that are borne by e-mail messages) from running.

    Outlook 2000 Service Pack 2 (SP2) and Outlook 2002 automatically contain the functionality in the Outlook E-mail Security Update patch.

    To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

  4. Configure Microsoft Outlook Express 6 to block access to potentially damaging attachments. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    291387 OLEXP: Using virus protection features in Outlook Express 6

    Earlier versions of Outlook Express do not contain attachment-blocking functionality. Use caution when you open unsolicited e-mail messages with attachments.
  5. Use a program-level firewall to protect yourself from being infected with this virus through Web-based e-mail programs.

Recovery

If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Related Security Information

For additional information about viruses, visit the following third-party Web sites:

http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html

http://vil.nai.com/vil/content/v_99949.htm

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional security-related information about Microsoft products, visit the following Microsoft Web site:

http://www.microsoft.com/security/default.asp

Modification Type:MajorLast Reviewed:10/11/2006
Keywords:kbvirus KB812811
©2004 Microsoft Corporation. All rights reserved.