Grammy nominee Avril Lavigne is the weapon deployed by computer virus users trying once again to wreak havoc on Internet users. A new malicious program called “Lirva” — the singer’s name spelled backwards — promises information on the 18-year-old star. The virus picked up steam on Thursday, and some antivirus firms raised their risk rating on the program. Meanwhile, an updated version of one of the Internet’s most successful e-mail pests, ExploreZip, has made a reappearance.
LIRVA BEGAN MAKING the rounds quietly on Tuesday, but started making noise about 24 hours later, according to e-mail filtering firm MessageLabs Inc. By midday Thursday, the company had trapped nearly 15,000 copies of the bug, which had reached 91 countries around the globe.
“We’ve seen a steady increase,” said Mark Sunner, chief technology officer at MessageLabs. Sunner also says that about one-third of the viruses were interception in Brazil, France, and Italy. That’s unusual — viruses usually spread most quickly in the United States and the United Kingdom, Sunner said.
“We never really see activity in those areas,” he said.
Also on Thursday, a second version of the virus, called “Lirva.B,” was discovered, according to F-Secure.com. That versions had added features, including a “back door” which would allow the virus author to remotely control a victim’s computer.
Sharon Ruckman, senior director of Symantec Corp.’s Security Response Team, said Lirva was the second-most reported virus.
“Yes, it is out there. We saw more activity this morning in Europe,” she said. Still, the worm rates only a 2 on a scale of Symantec’s 1 to 5, with 5 being the most severe.
“We are not anticipating it will move up to a 3, based on the submission rate,” she said.
McAfee Security did raise its risk rating on the worm from low to medium on Wednesday “due to an increase in prevalence over the past 24 hours,” according to the company.
The worm can spread via e-mail, Internet Relay Chat, ICQ instant messaging, or the KaZaa file swapping service. Among typical messages in the e-mail version:
“FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony. Vote for I’m with you!”
Spotting the worm by subject line can be tricky, because it randomly chooses a subject line for e-mail from the following list:
‘Fw: Prohibited customers...’
‘Re: Brigade Ocho Free membership’
‘Re: According to Daos Summit’
‘Fw: Avril Lavigne - the best’
‘Re: Reply on account for IIS-Security’
‘Re: ACTR/ACCELS Transcriptions’
‘Re: The real estate plunger’
‘Fwd: Re: Admission procedure’
‘Re: Reply on account for IFRAME-Security breach’
‘Fwd: Re: Reply on account for Incorrect MIME-header’
The infected attachment also has randomly chosen file names.
If the worm successfully infetcs a user, it will e-mail copies of itself to everyone in the victim’s Contacts list, similar to the Melissa virus. It will also shut down antivirus and firewall programs, and launch a Web browser to open the Avril Lavigne Web site, according to McAfee.
The worm is also known as “Naith,” “Avril,” and “Avron.”
Meanwhile, a slightly altered version of the 1999 nemesis ExploreZip has been discovered, according Ruckman. The worm has been compressed to evade detection by antivirus programs. But it poses little risk, because the malicious program must be “unpacked” — which reverses the compression process — before it runs, and antivirus programs will detect it at that point, Ruckman said. She said Symantec had only received four submissions of the virus.
But Ken Dunham, senior intelligence analyst at iDefense Inc., said two large corporations were hit by the ExplorerZip worm, one in the United Kingdom and another in the United States.
“It has the potential to become a serious problem for multiple organizations and home users today,” he said.
ExploreZip was particularly destructive back in 1999, when it infected thousands of machines, deleting a host of Microsoft Office Word Documents, spreadsheets, and PowerPoint presentations along the way.
Explore Zip arrives as an e-mail with the message:
I received your email and shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye
The infected attachment is named zipped_files.exe, according to iDefense.