Panda Software’s Virus Laboratory has detected the appearance of a new worm Lirva (W32/Lirva). This new malicious code has the capacity to spread using various means of transmission, including e-mail, the file swapping tool KaZaA and the IRC and ICQ chat programs. When Lirva is sent via e-mail, it exploits a known vulnerability in Microsoft Internet Explorer to run automatically when the message carrying the malicious code is viewed in the Preview Pane.
The characteristics of the e-mail carrying Lirva are variable, as the subject, the message and the name of the attached file are selected from a list of possibilities.
If the user opens the file attached to the e-mail or if Lirva automatically runs itself by exploiting the Internet Explorer vulnerability, it will create several files in the affected computer including copies of the worm. Lirva also creates files and stores them under a random name in the shared files directory in KaZaA. If the IRC program is installed on the affected computer, Lirva modifies the ‘script.ini’ file.
This worm is also programmed to block antivirus programs and firewalls in order to render the victim’s computer defenseless.
Finally, it ensures that it is run every time the computer starts up by modifying an entry in the Windows Registry.
Panda Software’s Tech Support service has already registered several incidents caused by this worm and therefore clients are advised to treat e-mails and files received with caution and to update their antivirus solutions from http://www.pandasoftware.com to avoid possible incidents involving Lirva.
From this address, users can also access the company’s free, online scanner Panda ActiveScan to disinfect computers that may have been hit by this malicious code.
More detailed information about Lirva is available in Panda Software’s Virus Encyclopedia.