This one has potential of being nasty. Call this one the Avril Lavigne virus. Regards, Jim Kenzig http://thethin.net http://www.osmess.com Reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIRVA.C or http://vil.mcafee.com/dispVirus.asp?virus_k=99949 Virus type <javascript:open_glossary('virus_types');>: Worm Destructive <javascript:open_glossary('destructive_viruses');>: No Aliases <javascript:open_glossary('aliases');>: I-Worm.Avron.b, Win32/Naith.C@mm, W32.Lirva.C@mm, W32/Avril-B Pattern file needed </download/pattern.asp>: 435 Scan engine needed </download/engine.asp>: 5.200 Overall risk rating <javascript:open_glossary2('overall');>: Medium Reported infections <javascript:open_glossary2('infect');>: Low Damage Potential <javascript:open_glossary2('damage');>: High Distribution Potential <javascript:open_glossary2('distribution');>: High Description: This memory-resident mass-mailing worm propagates via email, mapped network-shared drives, IRC, ICQ and KaZaA Peer-to-Peer file sharing. It arrives through email with the following details: Subject: (any of the following) Fw: Redirection error notification Re: Brigada Ocho Free membership Re: According to Purge's Statement Fw: Avril Lavigne - CHART ATTACK! Re: Reply on account for IIS-Security Breach (TFTP) Re: ACTR/ACCELS Transcriptions Re: IREX admits you to take in FSAU 2003 Fwd: Re: Have U requested Avril Lavigne bio? Re: Reply on account for IFRAME-Security breach Fwd: Re: Reply on account for Incorrect MIME-header Re: Vote seniors masters - don't miss it! Fwd: RFC-0245 Specification requested... Fwd: RFC-0841 Specification requested... Fw: F. M. Dostoyevsky "Crime and Punishment" Re: Junior Achievement Re: Ha perduto qualque cosa signora? Message Body: (any of the following) AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases: SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list. Orginal Message: Or Network Associates weekly report: Microsoft has identified a security vulnerability in MicrosoftIIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately. Patch is also provided to subscribed list of Microsoft Tech Support: Or AVRIL LAVIGNE - THE CHART ATTACK! Vote fo4r Complicated! Vote fo4r Sk8er Boi! Vote fo4r I'm with you! Chart attack active list: Or Restricted area response team (RART) Attachment you sent to is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch Attachment: (any of the following) Resume.exe ADialer.exe MSO-Patch-0071.exe MSO-Patch-0035.exe Two-Up-Secretly.exe Transcripts.exe Readme.exe AvrilSmiles.exe AvrilLavigne.exe Complicated.exe TrickerTape.exe Sophos.exe Cogito_Ergo_Sum.exe CERT-Vuln-Info.exe Sk8erBoi.exe IAmWiThYoU.exe Phantom.exe EntradoDePer.exe SiamoDiTe.exe BioData.exe ALavigne.exe It does not require the email receiver to open the attachment for it to execute. It uses a vulnerability in Internet Explorer-based email clients to execute the file attachment automatically, known as Automatic Execution of Embedded MIME type. More information about this vulnerability is available at Microsoft?s Security Bulletin <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/ms01-020.asp>. This malware also retrieves cached passwords and sends them to a specific email address and has the capability to terminate certain antivirus programs. Upon execution, this malware may terminate the Explorer process, thus hiding the taskbar and desktop icons. This malware has the capability to terminate certain antivirus processes. On the 7th, 11th and 24th of every month, it opens the default browser to http://www.avril-lavigne.com and displays shapes and text message on screen. The UPX-compressed worm runs on Windows 95, 98 and ME. The uncompressed file runs on Windows 95, 98, ME, NT, 2000 and XP. *********************************************** This Weeks Sponsor: WM Software WMS Messenger for TSE Affordable Instant Messaging for Terminal Servers http://www.wmsoftware.com/wmsm/ ************************************************ For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm