The Web    Google
Virus Alert Activity Intensifies

Virus Alert Activity Intensifies
January 10, 2003

Just one day after the anti-virus community was abuzz with a double virus alert, two more alerts have gone up.

ExploreZip, an old virus with a facelift, and the Avril or Lirva.A mass-mailing worm, released as a destructive ode to the Canadian singer Avril Lavigne, both received Level 2 Alert status late on Wednesday. Now a variant on the Lirva virus, Lirva.B, has hit, along with the new Sobig virus.

Now anti-virus vendors and security administrators are fighting virus battles on four different fronts.

"It's a big fuss when we have to try to fight more than one fire at the same time," says Mikko Hypponen, manager of anti-virus research in F-Secure Corp.'s Finland office. "Regarding virus outbreaks, 2002 was a calm year. We haven't had a fight like this in a while. In comparison, in all of last year we had 27 Level 2 alerts for the whole year."

The Sobig worm, which was discovered in the wild on Jan. 9, spreads via email and network shared drives. Once it infects a computer, it also tries to download files from Web pages on the Geocities site.

Analysts at F-Secure Corp. warn administrators that the sender address is always labeled as Subjects vary from 'Re: Here is that Sample' to 'Re: Document'; 'Re:Sample', and 'Re: Movies'. The email contains an executable attachment. The worm copies itself to a Windows System Directory and then downloads a program from a Web site and runs it on the infected machine.

The Lirva.B worm, also discovered on Jan. 9, is spreading faster than the Lirva.A original. The new version tries to download a backdoor from a Web site but the site has been blocked. Lirva.B also fakes the sender address of infected emails, replacing the address of the infected user with a random name.

The Lirva.A mass-mailing worm has been spreading rapidly but mainly in Europe. Once Lirva infects a computer, it opens the computer's Internet Explorer browser to the official Avril Lavigne Web site on the 7th, 11th and 24th of the month. It then starts to display colored circles on the screen, freezing the computer.

ExploreZip, an Internet worm first let loose in the wild back in 1999, has reemerged with just enough changes made to allow it to slip through anti-virus software undetected. And it has the added ability to override files on the infected computer, as well as on any other computer in the same network.

ExploreZip is an anomaly in that it's such an old virus -- three and a half years is ancient in the virus world. And, like it's former self, it is cleverly written. Once ExploreZip infects a computer, it will automatically respond to any email received with a seemingly valid subject line and the user's name, along with an infected attachment.

Once it's in a computer, it will override several different types of files on that computer and any other computer on the same network. Hypponen says its destructiveness elevated it to a Level 2 ranking.

F-Secure's Level 2 Threat is the second highest threat category.

  • 2/11: Rbot-VT Worm Has Backdoor Ability
  • Exploit for Windows SSL Flaw Circulating
  • 1/13: Expl_Iconex-A an Animated Cursor File
  • 3/4: Rbot-WV Worm Uses Bad Passwords
  • Secure Messaging Vendor Offers Management Appliance
  • 1/12: Bobax-D Worm Exploits LSASS Flaw
  • 7/29: Lovgate-AK a Mass-Mailing Worm
  • 4/18: Mytob-BR Worm Mails Itself Out
  • Taking on Cyber Crime's New Mob Ties
  • New Worm Throws 'Smackdown' on Users
  • HP Cuts to the Middle of Disaster Recovery
  • Buy Security Camera