F-Secure Warns of Four New Internet Worms

article top

SAN JOSE, Calif., Jan. 10 (UPI) — F-Secure Corp. is alerting computer users of four new Internet worms that are crawling across the globe.

The new Windows worms were found on Wednesday and Thursday, and they are known as Lirva.A, ExploreZip.E, Lirva.B and Sobig.


“Several new viruses are found every day, there’s nothing special with that,” said Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. “But it is not normal to find four new viruses which are all successfully spreading in the wild within two days.”

F-Secure said it has released a Level-2 Radar alert on all these viruses, indicating that system administrators and end users should make sure their systems are protected.

Level-2 is the second-highest severity under F-Secure Radar alerting system. F-Secure issued 27 Level 2 alerts during all of year 2002 and two Level 1 alerts.

“Apart from the two Lirva variants, these viruses are not related to each other; this does not seem to be a coordinated attack,” said Hypponen. “It seems we just got a really bad start for this year.”

F-Secure said Lirva, or Arvil, is a mass-mailing worm that uses several methods to spread. Besides e-mail, the worm uses ICQ and IRC chat networks and Kazaa file sharing network to spread. It also propagates through shared folders and Windows network drives. Lirva has functionality to disable several antivirus and security applications if it notices their presence. If the worm is active in the system, it tries to steal passwords and send them to an external e-mail address.

E-mail messages sent by Lirva vary, but they often make references to Avril Lavigne, a Canadian rocker who was nominated for five Grammy awards this week. The virus was apparently written by a Kazakhstan-based fan of the artist. When Lirva worm activates, it tries to open the official Web site of Avril Lavigne and starts a graphical screen effect consisting of colored, moving circles.

F-Secure said functionally Lirva.B is very close to the original Lirva virus. It has been modified to evade detection of some anti-virus software. Another difference is that Lirva.B fakes the sender address of infected e-mail messages, replacing the address of the infected user with the e-mail address of a random innocent bystander. The real e-mail address of the infected user can often be found from the e-mail’s “Return-Path” header.

ExploreZip is an Internet worm that was first found in June 1999. The original version ExploreZip.A spread all over the globe within days of initial discovery, becoming first of the really widespread Internet worms. After this, several modified versions of this worm have been found.

On the Wednesday, 3 1/2 years after its progenitor was first seen, ExploreZip.E was found. This version was modified so that it was undetectable to most anti-virus programs, though the worm functionality had stayed the same. All of the ExploreZip variants spread as an e-mail attachment and activate by destroying Microsoft Office documents and source code files from infected computers and from local networks. The worm modifies an infected computer so that the worm will reply to unread e-mail messages, sending dummy e-mail replies with an infected attachment.

F-Secure said Sobig is an e-mail and network worm, sending itself around as a PIF e-mail attachment. The worm has remote control functionality through which the virus writer can control infected computers.

Copyright 2003 by United Press International. All rights reserved.