Computer Virus Year 2003 Started with a Bang

Helsinki, Finland - January 10, 2003

F-Secure is alerting computer users as four new internet worms are crawling across the globe. These new Windows worms were found on 8th and 9th of January, 2003 and they are known as (in order of appearance) Lirva.A, ExploreZip.E, Lirva.B and Sobig.

"Several new viruses are found every day, there's nothing special with that", says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "But it is not normal to find four new viruses which are all successfully spreading in the wild within two days."

F-Secure Corporation has released a Level 2 Radar alert on all these viruses, indicating that system administrators and end users should make sure their systems are protected. Level 2 is the second highest alert level under F-Secure Radar alerting system. F-Secure made 27 Level 2 alerts during all of year 2002 (and two Level 1 alerts).

"Apart from the two Lirva variants, these viruses are not related to each other - this does not seem to be a coordinated attack", comments Hypponen. "It seems we just got a really bad start for this year".

Information of the four viruses follow:

Lirva.A

Lirva (or Arvil) is a mass-mailing worm that uses several methods to spread. Besides email the worm uses ICQ and IRC chat networks and Kazaa file sharing network to spread. It also propagates through shared folders and Windows network drives. Lirva has functionality to disable several antivirus and security applications if it notices their presence. If the worm is active in the system it tries to steal passwords and send them to an external email address.

E-mails sent by Lirva vary a lot, but they often make references to Avril Lavigne, Canadian rocker who was nominated for five Grammy awards just two days ago. Apparently the virus was written by a Kazakhstan-based fan of the artist. When Lirva worm activates, it tries to open the official web site of Avril Lavigne and starts a graphical screen effect consisting of coloured, moving circles.

Lirva.B

Functionally Lirva.B is very close to the original Lirva virus. It has been modified to evade detection of some anti-virus software. Another difference is that Lirva.B fakes the sender address of infected e-mails, replacing the address of the infected user with the e-mail address of a random innocent bystander. The real e-mail address of the infected user can often be found from the e-mail's "Return-Path" header.

ExploreZip.E

ExploreZip is an internet worm which was first found in June 1999. The original version (ExploreZip.A) spread all over the globe within days of initial discovery, becoming first of the really widespread internet worms. After this, several modified versions of this worm has been found.

On the 8th of January, 2003 - three and half years after the virus was first seen - ExploreZip.E was found. This version was modified so that it was undetectable to most anti-virus programs. The worm functionality had stayed the same. All of the ExploreZip variants spread as an e-mail attachment and activate by destroying Microsoft Office documents and source code files from infected computers and from local networks. The worm modifies an infected computer so that the worm will reply to unread e-mails, sending dummy e-mail replies with an infected attachment.

Sobig

Sobig is an e-mail and network worm, sending itself around as a PIF e-mail attachment. The worm has remote control functionality through which the virus writer can control infected computers.

Detailed technical descriptions of these worms as well as a screenshot of the Lirva virus activation circle routine are available in the F-Secure Virus Description database at http://www.f-secure.com/v-descs/

F-Secure Anti-Virus can detect and stop all the mentioned viruses.

About F-Secure Corporation

F-Secure Corporation is a leading developer of centrally managed security solutions for the mobile enterprise. The company's award-winning, integrated antivirus, file encryption and network security solutions for handhelds, laptops, desktops, servers, mail servers and firewalls provide centralized policy based management of widely dispersed user communities. Founded in 1988, F-Secure is listed on the Helsinki Stock Exchange [HEX: FSC]. Corporate headquarters is in Helsinki, Finland with North American headquarters in San Jose, California. The company maintains offices in Germany, Japan, Sweden and the United Kingdom, and is supported by a network of VARs and Distributors in over 90 countries around the globe.

For more information, please contact:

Mikko Hypponen, Manager, Anti-Virus Research 
F-Secure Corporation 
Tel. +358 9 2520 5513 
Email: Mikko.Hypponen@F-Secure.com

Heather Deem
F-Secure Inc.
Tel. +1 408 350 2178
Email: Heather.Deem@F-Secure.com