Article ID: 812811 - Last Review: March 27, 2007 - Revision: 7.1 Virus alert about the W32.Lirva.A@mm wormOn This PageSUMMARYW32.Lirva.A@mm is a new e-mail worm. The Microsoft Product
Support Services Security team is issuing this alert to advise customers to be
aware of this virus as it spreads in the wild. If you use best practices, such
as filtering certain file types and applying security patches, you can prevent
infection from this mass-mailer worm. Note By default, Microsoft Office Outlook 2003 and Microsoft Office Outlook 2007 provide protection against the W32.Lirva.A@mm mass-mailer worm. MORE INFORMATIONImpact of attackMass-mailing, Termination of Antivirus Programs and Firewalls, and Compromise of Cached PasswordsTechnical detailsW32.Lirva.A@mm is a new mass-mailer worm that also propagates through shares and peer-to-peer file-sharing applications. The W32.Lirva.A@mm worm arrives in an e-mail message that has the following characteristics:Note The contents vary. The following message is only one example. Subject: Re: Reply on account for IFRAME-Security breach The worm
tries to exploit a previously patched vulnerability that exists in some
versions of Microsoft Outlook, Microsoft Outlook Express, and Microsoft
Internet Explorer. This vulnerability can be used to allow an executable
attachment to run automatically, even if you do not double-click the
attachment. For more information about this vulnerability, visit the following
Microsoft Web site: Body: Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified security vulnerability in Microsoft IIS 4.0 and 5.0. To prevent from the further buffer overflow attacks apply the MSO-patch. Attachment (including, but not limited to): Resume.exe, AvrilLavigne.exe, AvrilSmiles.exe, CERT-Vuln-Info.exe, IAmWiThYoU.exe, MSO-Patch-0035.exe, MSO-Patch-0071.exe, Readme.exe, Singles.exe, Sophos.exe http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx
(http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx)
Upon execution, the worm tries to disable some antivirus and
firewall applications that may be running on the computer. The worm also does
one or more of the following:
Prevention
RecoveryIf your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web sitehttp://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
(http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
Related security informationFor additional information about viruses, visit the following third-party Web sites:http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html
(http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html)
Microsoft
provides third-party contact information to help you find technical support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact information.
http://vil.nai.com/vil/content/v_99949.htm (http://vil.nai.com/vil/content/v_99949.htm) For additional security-related information about Microsoft products, visit the following Microsoft Web site: http://www.microsoft.com/security/default.mspx
(http://www.microsoft.com/security/default.mspx)
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
