F-Secure Virus Descriptions : Lirva.B

Lirva worm continues to spread worldwide at a steady pace. On Thursday, 9th of January 2003, a new version of this worm (known now as Lirva.B) was found. It seems to be spreading even faster than Lirva.A. New version tries to download a backdoor from a web site but this has now been blocked.

Lirva.B spreads via email, ICQ, Kazaa, mIRC and open shared network drives in a similar way as Lirva.A. For more technical details on this:

http://www.europe.F-Secure.com/v-descs/lirva.shtml

IMPORTANT: Lirva.B fakes the sender address of infected e-mails, replacing the address of the infected user with the e-mail address of a random innocent bystander. The e-mail address of the infected user can often be found from the e-mail's "Return-Path" header.

F-Secure Anti-Virus for Windows detected Lirva.B before it was found in the wild.

Disinfection Tool

F-Secure provides the special disinfection tool to clean infected computers from Lirva.B worm. The tool is called LirvTool and it can be downloaded from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/lirvtool.zip

Step-by-step removal instructions can be found here (the instructions are also included into the above mentioned ZIP archive together with the tool):

ftp://ftp.europe.f-secure.com/anti-virus/tools/lirvtool.txt

Detection

F-Secure Anti-Virus for Linux detects Lirva.B with the update published on January 9th, 2003 in update:

Version=2003-01-09_03

[Analysis: F-Secure Corp.; January 9th, 2003]