W32/Lirva.C@mm
| W32/Lirva.C@mm |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 1/9/2003 | • Type: Worm |
| • Virus characteristics first published: 1/9/2003 | • Spreading mechanism: Email, Network, IRC, Other |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Medium |
| • Alias: I-Worm/Naith.C, I-Worm.Avron.b, | • Payload: Attempts to disable antivirus and firewall software, and download a backdoor pro |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
This worm is similar to the W32/Lirva.A worm. In contrast to its predecessor, it attempts to download a BackOrifice backdoor server from a web site in Kazakhstan. The download sites have however been closed. The worm is 34815 bytes long. When run, it copies itself to the Windows System directory, under a random name. It will also make copies of itself in the root directory and in the TEMP directory. A key will be inserted in the Registry so that the worm is started from bootup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Avril Lavigne - Muse" = filename. It will not be visible in the task list under Win9x/ME. The worm searches local files as well as the Windows Address Book for email addresses to send itself to. In addition it attempts to copy itself over shared network drives, and to send itself over IRC and ICQ. It will also copy itself into the shared files directory if the file sharing software Kazaa is installed. |
||||||||||||||