Password-stealing Lirva worm is spreading

A new e-mail worm is spreading. It which steals Microsoft Windows passwords and sends them to e-mail addresses in Russia,...

A new e-mail worm is spreading. It which steals Microsoft Windows passwords and sends them to e-mail addresses in Russia, according to alerts posted by a number of antivirus software vendors.

The worm, W32/Lirva spreads by retrieving e-mail addresses from a variety of files stored on a computer's hard drive, then sending copies of itself to those addresses in the form of an executable e-mail attachment, according to information from security company F-Secure.

Subject lines for infected e-mail include: "Avril Lavigne - the best", "Reply on account for IIS-Security", and "According to Daos Summit", F-Secure said.

The worm, which only affects Microsoft Windows operating systems, is contained in a wide range of attachments including "AvrilSmiles.exe", "AvrilLavigne.exe", "resume.exe," and "Readme.exe," and launches on the seventh, 11th and 24th of any month

The virus also poses as a Microsoft security patch stored in attachments named "MSO-Patch-0071.exe" and "MSO-Patch-0035.exe," among many others, according to antivirus vendor Sophos.

Security firm MessageLabs said the worm highlighted "a worrying trend that is developing whereby many new viruses harbour the ability to disable desktop security and anti-virus software".

Lirva exploits a well-known security vulnerability in the Microsoft's Internet Explorer Web browser, Outlook and Outlook Express e-mail applications.

Microsoft patched the vulnerability, MS01-020. Software updates for the affected products are available on the company's Web site. (See and

In addition to using e-mail messages to spread, Lirva is capable of spreading over computer networks and the Kazaa peer-to-peer network by copying itself to shared folders on other computers or tricking users into downloading and running it. The worm is also able to spread over Internet Relay Chat (IRC) networks, according to F-Secure.

The new worm is currently rated a "low" risk by Symantec and a "medium" risk on Network Associates's McAfee Web site.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: