Virus alert: Two-faced Lirva threatening users

Computer users are being warned about the presence of a new mass-mailing worm which arrives in a email offering either the latest Microsoft security patch or exclusive access to pop sensation Avril Lavigne's website.

Lirva (w32.Lirva@mm), also known as Naith, once active will attempt to email copies of itself to all contacts on an infected system, shut down all antivirus and firewall programs, and launch a web browser to open the Avril Lavigne website on an infected user's desktop. Periodically an infected machine will continue to log-on to the Avril Lavigne website.

Lirva uses the Iframe vulnerability, so on unpatched systems, the worm will automatically execute whether or not the attached file is opened.

Antivirus vendor MessageLabs reports that parts of the Lirva worm code very look familiar, so Lirva may turn out to be a variant of a known virus family.

The email which carries Lirva shows evidence of a growing trend towards social engineering in order to encourage users to open the email. In past years emails bearing viruses have increasingly purported to carry information, pictures or video clips of celebrities - normally attractive females - who are particularly popular at any one time. Previous viruses have piggy-backed upon the popularity of singer Jennifer Lopez, tennis ace Anna Kournikova and Latino popstar Shakira.

Subject lines to look out for when spotting emails which may potentially carry the Lirva virus are:

Fw: Prohibited customers...
Re: Brigade Ocho Free membership
Re: According to Daos Summit
Fw: Avril Lavigne - the best
Re: Reply on account for IIS-Security
Re: ACTR/ACCELS Transcriptions
Re: The real estate plunger
Fwd: Re: Admission procedure
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header

Robert Vamosi writes for News.com