Updated: 10 January 2003
Sophos, a world leader in corporate anti-virus protection, has
received a number of reports about a new worm called Avril or Lirva
(W32/Avril-A and
its variant W32/Avril-B) circulating
in the wild.
The W32/Avril-A worm, which is a tribute to Canadian skater
chick, Avril Lavigne, will open Microsoft Internet Explorer on her
website, www.avril-lavigne.com on the 7th, 11th and 24th of the
month. The worm also takes advantage of a year-old vulnerability in
Microsoft Outlook, which allows it to forward itself to all email
addresses in Outlook regardless of whether the email attachment is
opened or not.
Amongst the various subject lines the worm uses is 'Fw: Avril
Lavigne - the best'. Once the attachment is run, the worm attempts
to disable the user's anti-virus software. It also behaves in the
80's film stereotype of viruses, by taking over the screen with a
series of coloured ellipses.
"Ms Lavigne is just the latest in a long line of pop idols and
celebrities to be used as bait by virus writers," said Carole
Theriault, anti-virus consultant at Sophos. "It seems that every
time a new celebrity bursts onto the scene, a virus writer will use
them to persuade unsuspecting computer users to open unsolicited
emails."
"The message to computer users is not so complicated. Those who
practise safe computing, keep their anti-virus software up to date
and patch against operating system vulnerabilities, will
dramatically reduce the risk of becoming infected by a new virus,"
continued Theriault.
Quick links
How to avoid infection in the future
Update your corporate anti-virus software now so that you can
detect and prevent the W32/Avril-A and W32/Avril-B worms. If you
do not have procedures for rapid updates, implement them now,
because you are sure to need them again. Sophos Enterprise Manager is one way to help
automate protection updates inside your company.
If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is rarely
necessary to allow users to receive programs via email. There is so
little to lose, and so much to gain, simply by blocking all
mailed-in programs, regardless of whether they contain viruses or
not. Sophos MailMonitor for SMTP
contains pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway.
Many viruses have exploited loopholes in commonly used web
browsers and email software (e.g. Internet Explorer, Outlook and
Outlook Express) to increase their chances of spreading
effectively. Microsoft has issued a patch which addresses this and
other vulnerabilities, and it can be downloaded from www.microsoft.com/technet/security/bulletin/MS01-027.asp.
Every IT manager responsible for security should consider
subscribing to vulnerability mailing lists such as that operated by
Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp.
Other vendors offer similar services.
If you are a home user you may like to consider visiting
windowsupdate.microsoft.com, a site run by
Microsoft, which can automatically scan your computer for
vulnerabilities and suggest which security patches need to be
downloaded.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.