Win32/Lirva.A (Win32/Naith.A, Win32/Avril.A) a nově i Win32/Lirva.C !!!

Ze světa je hlášen výskyt viru Win32/Lirva.A (někdy označován jako Win32/Naith.A či Win32/Avril.A), který se samozřejmě šíří elektronickou poštou a přes sdílené disky. Infikovaný email lze poznat podle předmětu, který může obsahovat jeden z následujících řádku:

Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger

Tělo emailu pak může mít tři podoby:

  • Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below

  • Restricted area response team (RART) Attachment you sent to is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch

  • Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft®Tech Support

    V příloze se pak nachází jeden z následujících infikovaných souborů:

    AvrilLavigne.exe
    AvrilSmiles.exe
    CERT-Vuln-Info.exe
    Cogito_Ergo_Sum.exe
    Complicated.exe
    Download.exe
    IAmWiThYoU.exe
    MSO-Patch-0035.exe
    MSO-Patch-0071.exe
    Readme.exe
    Resume.exe
    Singles.exe
    Sk8erBoi.exe
    Sophos.exe
    Transcripts.exe
    Two-Up-Secretly.exe

    Každého 7., 11. a 24. dne v měsíci zobrazí stránku www.avril-lavigne.com a na ploše Windows velký obrazec s nápisem "AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg" vlevo nahoře.

    Jako prevenci doporučuji stáhnout veškeré záplaty pro Internet Explorer (odkaz vpravo nahoře) a samozřejmě se vyhnout spouštění neznámých příloh !

    Pokud by přeci jen bylo pozdě, stačí odmazat položku HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run "Avril Lavigne - Muse" v registrech. Rád poradím na igi@viry.cz.

    Problémy jsou i s variantou Win32/Lirva.C (Win32/Naith.C, Win32/Avril.C) ! Liší se především v textech předmětu, těla a v názvech příloh.

    Předměty:

    Fw: Redirection error notification
    Re: Brigada Ocho Free membership
    Re: According to Purge's Statement
    Fw: Avril Lavigne - CHART ATTACK!
    Re: Reply on account for IIS-Security Breach
    (TFTP)
    Re: ACTR/ACCELS Transcriptions
    Re: IREX admits you to take in FSAU 2003
    Fwd: Re: Have U requested Avril Lavigne bio?
    Re: Reply on account for IFRAME-Security breach
    Fwd: Re: Reply on account for Incorrect MIME-header
    Re: Vote seniors masters - don't miss it!
    Fwd: RFC-0245 Specification requested...
    Fwd: RFC-0841 Specification requested...
    Fw: F. M. Dostoyevsky "Crime and Punishment"
    Re: Junior Achievement
    Re: Ha perduto qualque cosa signora?

    Těla zpráv (6 verzí):

  • Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date
  • Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
  • Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
  • Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!
  • AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list
  • Orginal Message

    Přílohy:

    Resume.exe
    ADialer.exe
    MSO-Patch-0071.exe
    MSO-Patch-0035.exe
    Two-Up-Secretly.exe
    Transcripts.exe
    Readme.exe
    AvrilSmiles.exe
    AvrilLavigne.exe
    Complicated.exe
    TrickerTape.exe
    Singles.exe
    Sophos.exe
    Cogito_Ergo_Sum.exe
    CERT-Vuln-Info.exe
    Sk8erBoi.exe
    IAmWiThYoU.exe
    Phantom.exe
    EntradoDePer.exe
    SiamoDiTe.exe
    BioData.exe
    ALavigne.exe
    {náhodné}.TXT
    {náhodné}.DOC