New variants of a worm, Lirva, are spreading around the Internet infecting users of Microsoft Outlook. The worm is dangerous because it can shutdown antivirus and firewall software, and overwrite Microsoft Word, Excel, and Powerpoint files, leaving the file sizes at 0KB, which renders the files unrecoverable without a backup.
Lirva spreads through the KaZaA file share network, through Internet Relay Chat (IRC) and ICQ, and through email. When spreading through email, Lirva sends a copy of itself to everyone listed in a user's address book by using its own built-in SMTP server, which helps the worm's activity go undetected. Lirva also collects address information from various other files on the user's system, such as .htm, .wab, .dbx, and other file formats.
Lirva also collects passwords from users' systems and emails them to an address presumed to be located in Russia. On the7th, 11th, and 24th day of each month, Lirva automatically opens a Web browser to the Web site of a pop singer, http://www.avril-lavigne.com.
The worm can arrive with various subjects, message body content, and file attachments, including one that spoofs a message from Network Associates regarding a security problem with Microsoft IIS. Users need to be aware that Microsoft never distributes its security patches through email to end users, and to my knowledge, Network Associates doesn't redistribute Microsoft patches either.
