Related Resources • Virus Encyclopedia • Glossary of terms

Language helps us to easily communicate with one another. By assigning names to people, places, and things, we are able to identify them to ourselves and others. Now imagine if common items were all assigned random names at the whim of whoever interacted with it. The name would then become meaningless inasmuch as it would provide no ready means of identification and provide little help to communication. That's exactly the current situation with viruses - each vendor assigns whatever name they see fit. This free for all poses no benefit to users, who are then left to fend for themselves in determining what the virus is and whether they are protected from it. Such is again the case with the Avril, Lirva, Naith virus - a single email worm with a half dozen names assigned to it. Both McAfee and Symantec have dubbed this threat W32/Lirva.a@MM. MessageLabs refers to it as W2/Naith.A-mm, Central Command as Worm/Avril.A, and Sophos as W32/Avril-A. F-Secure simply calls it Lirva. Believing simple is good, this article will also refer to the email worm as Lirva.

According to Gergely Erdelyi of F-Secure, Lirva is a password stealing mass-mailing e-mail worm that uses several different methods to spread. In addition to email, Lirva spreads via mIRC, ICQ, KaZaA, and open shares via Windows networked drives. As with previous threats, such as the equally schizophrenically named Yaha variants, Lirva disables antivirus and security applications installed on the infected system. Because newly spreading viruses are not detectable by signature-based scanners without a special update, this leaves users vulnerable to not only the infection, but the inability to obtain the updates needed for detection and disinfection. It also leaves the system vulnerable to further threat, because the software designed to protect the system no longer functions properly. This situtation is worsened by the fact that Lirva (like the Yaha variants, Klez.H and others), takes advantage of a an old vulnerability in Microsoft products that allows the worm to infect automatically when the email carrying the virus is read or even just previewed. The vulnerability affects unpatched versions of Microsoft's Internet Explorer 5.01 or 5.5 (and in many cases, IE 6.x), which can allow attachments to be automatically executed simply by reading - or in some cases, previewing, the email message. Outlook and Outlook Express, and any mail other client that relies upon Internet Explorer to render HTML email messages are vulnerable to this exploit. To ensure you are protected from this vulnerability and others, visit the Windows Update site and allow it to scan your system for necessary security patches.

Lirva harvests email addresses from files on the system ending with any of the following extensions: .DBX, .MBX, .WAB, .HTML, .EML, .HTM, .TBB, .SHTML, .NCH, and .IDX and sends itself to those addresses with email subject lines, message body, and attachment names which have been randomly selected from pre-defined lists in the worm's code.

The worm pays dubious homage to Canadian singer Avril Lavigne, causing the Internet Explorer browser to open to her website on the 7th, 11th, and 24th of each month. Lirva also displays a series of colorful ellipses on the desktop.

Detecting the Worm
Because Lirva copies itself as hidden system files with randomly generated names, identifying the files can be difficult. However, a registry key created by the worm provides an easy means to determine whether an infection has taken place. The key, HKEY_LOCAL_MACHINE\Software\HKLM\Software\OvG\Avril Lavigne, can be easily searched for by following the steps below.

Searching the Registry

Click Start
Click Run
Type REGEDIT and click OK
Click Edit | Find
Type Avril Lavigne
Click Find Next