What
is the Lirva.A worm?
Lirva.A is a mass-mailing worm that also
spreads by IRC, ICQ, KaZaA, and open network
shares. This worm attempts to terminate antivirus
and firewall products. It also emails the cached
Windows 95/98/Me dial-up networking passwords to
the virus writer.
When Microsoft Outlook receives the worm, the
worm takes advantage of a vulnerability that
allows the attachment to auto-execute when you
read or preview the email.
Also known as: W32/Avril-A, W32/Lirva.b@MM,
WORM_LIRVA.A, Win32.Lirva.A, I-Worm.Avron.c,
Lirva
How
Does Lirva.AInfect My System?
When Lirva.A runs, it does the following:
- Terminates all the processes with the
following names:
- _Avp32.exe
- _avpcc.exe
- _avpm.exe
- Ackwin32.exe
- Anti-trojan.exe
- Apvxdwin.exe
- Autodown.exe
- Avconsol.exe
- ......
- Inventories all the windows and terminates
any processes that have the following strings
in the title bar of the window:
- virus
- anti
- McAfee
- Virus
- Anti
- AVP
- Norton
- Copies itself as Hidden system files to:
- %Temporary%\<random string>
- %Temporary%\<random string>.tft
- %System%\<random string>.exe
- %All Drives%\Recycled\<random
string>.exe
- %Kazaa Downloads%\<random
string>.exe
- Adds the value:
Avril Lavigne - Muse
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs when you start Windows.
If the operating system is Windows NT/2000/XP,
the worm will register itself as a service.
- Creates the registry key:
HKEY_LOCAL_MACHINE\Software\OvG\Avril
Lavigne
and various subkeys that the worm uses to
keep track of its infection process.
- Creates a non-malicious text file
%Temporary%\Avril-ii.inf and other temporary
files in the Windows Temporary folder.
- Checks whether the computer is currently
connected to a network. If it is not
connected, the worm will attempt to dial out
using the default dial-up connection profile.
- Searches the Windows Address Book and files
with the extensions .dbx, .mbx, .wab, .html, .eml,
.htm, .tbb, .shtml, .nch, and .idx for the
email addresses. Then, the worm sends the
email messages.
When Microsoft Outlook receives the worm,
the worm takes advantage of a
vulnerability that allows the attachment
to auto-execute when you read or preview
the email.
- As part of the email-sending routine, the
worm creates the temporary file, %Temporary%\NewBoot.sys,
which it (usually) deletes now.
- Searches for the file Icqmapi.dll, by
determining the path of the ICQ program files.
If the worm finds this file, the worm copies
it to the \Windows\System folder and sends
itself to all the contacts in the ICQ contact
list.
- Creates a Script.ini file in the mIRC
program files folder. This file will connect
to the IRC channel #avrillavigne and send
itself to others who join any channels that
you join.
- Inventories all the network resources
searching for open C shares. If the worm finds
an open C share, it copies itself to
\Recycled\<random string>.exe on the
remote system and modifies the Autoexec.bat
file of the remote system to load the worm on
startup, by adding the following line:
@win <random string>.exe
- Copies itself to \Recycled\<random
string>.exe on each local hard drive and
modifies the Autoexec.bat file (adding the
aforementioned line), so that the worm runs
when you start Windows (on Windows 95/98/Me
computers only).
- Copies itself as a random file name to the
KaZaA download folder.
- If the day of the month is the 7th, 11th, or
24th, the worm will launch your Web browser to
www.avril-lavigne.com and display a graphic
animation on the Windows desktop.
How to Remove the Lirva.A worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Lirva.A during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Lirva.A, click Delete.
4. Deleting the value from the registry
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit, and then click OK.
(The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
Avril Lavigne - Muse
- Exit the Registry Editor.
- Restart the computer and allow it to start
in Normal mode.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Worms - 'L':
|
