Updated: 10 January 2003
Sophos, a world leader in corporate anti-virus protection, has received a number of reports about a new worm called Avril or Lirva (W32/Avril-A and its variant W32/Avril-B) circulating in the wild.
The W32/Avril-A worm, which is a tribute to Canadian skater chick, Avril Lavigne, will open Microsoft Internet Explorer on her website, www.avril-lavigne.com on the 7th, 11th and 24th of the month. The worm also takes advantage of a year-old vulnerability in Microsoft Outlook, which allows it to forward itself to all email addresses in Outlook regardless of whether the email attachment is opened or not.
Amongst the various subject lines the worm uses is 'Fw: Avril Lavigne - the best'. Once the attachment is run, the worm attempts to disable the user's anti-virus software. It also behaves in the 80's film stereotype of viruses, by taking over the screen with a series of coloured ellipses.
"Ms Lavigne is just the latest in a long line of pop idols and celebrities to be used as bait by virus writers," said Carole Theriault, anti-virus consultant at Sophos. "It seems that every time a new celebrity bursts onto the scene, a virus writer will use them to persuade unsuspecting computer users to open unsolicited emails."
"The message to computer users is not so complicated. Those who practise safe computing, keep their anti-virus software up to date and patch against operating system vulnerabilities, will dramatically reduce the risk of becoming infected by a new virus," continued Theriault.
How to avoid infection in the future
Update your corporate anti-virus software now so that you can detect and prevent the W32/Avril-A and W32/Avril-B worms. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company.
If possible, block all Windows programs at your email gateway. Some email applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway.
Many viruses have exploited loopholes in commonly used web browsers and email software (e.g. Internet Explorer, Outlook and Outlook Express) to increase their chances of spreading effectively. Microsoft has issued a patch which addresses this and other vulnerabilities, and it can be downloaded from www.microsoft.com/technet/security/bulletin/MS01-027.asp.
Every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.
If you are a home user you may like to consider visiting windowsupdate.microsoft.com, a site run by Microsoft, which can automatically scan your computer for vulnerabilities and suggest which security patches need to be downloaded.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.