Emails with subject lines containing the name of chart-topping singer Avril Lavigne are unleashing a worm virus when opened. The bug, call Lirva, then steals cached passwords and sends them to an email address in Russia according to alerts posted by a number of antivirus software vendors.
Lirva spreads by retrieving email addresses from a variety of files stored on a computer's hard drive, then sending copies of itself to those addresses in the form of an executable email attachment. Although the recipient doesn't have to click on the EXE file to activate the virus, instead it uses a vulnerability in Internet Explorer-based email clients to execute the attachment automatically, according to Trend Micro.
Subject lines for infected email include: 'Avril Lavigne — CHART ATTACK'; 'Have U requested Avril Lavigne bio?' and 'Reply on account for Incorrect MIME-header', according to Trend Micro.
In addition to stealing passwords, the worm launches Internet Explorer on the seventh, 11th, and 24th of any month, connects to an Avril Lavigne website www.avril-lavigne.com, and displays a graphic on the infected computer's desktop with the message: "Avril_Lavigne_Let_Go — My_Muse : ) 2002 (c) Otto von Gutenberg".
The worm, which only affects Windows operating systems, is contained in a wide range of attachments including AvrilSmiles.exe, AvrilLavigne.exe, resume.exe, and
Phantom.exe, according to Trend Micro.
The virus also poses as a Microsoft security patch stored in attachments named 'MSO-Patch-0071.exe' and 'MSO-Patch-0035.exe', among many others, according to Sophos.
In addition to piggybacking email messages, Lirva is capable of spreading over computer networks and the Kazaa peer-to-peer network by copying itself to shared folders on other computers or tricking users into downloading and running it. The worm is also able to disseminate itself over IRC (internet relay chat) networks, according to Trend Micro.
Antivirus software companies provided updated virus profiles for the Lirva worm and recommended that their customers update their antivirus software to include the new profiles.
Most vendors also provided instructions and software utilities for removing the virus from machines that have already been infected.