From: "Joe Barr" 

On Tue, 07 Jan 2003 21:47:17 +0000, Geo. wrote:

> "Joe Barr"  wrote in message
> news:3e1b1b11$1{at}w3.nls.net...
>>
>> Gosh, these daily worm/virus things in the MS world must be a real pain
>> to deal with.  But what's up with this one?
>>
>> ZD says the Lirva Worm is based on the lframe vulnerability, and if you
>> have upgraded to the right version of Outlook you should be safe.  OK,
>> that makes sense.
>>
>> But then it says it might also spread on IRC.  What's the connection
>> between Outlook and IRC?
>
> I went to symantec to look this one up
>

>
> I don't see it listed.
>
> Geo.

From the story.  But why does an Outlook security bug allow worms to be
spread through IRC?


 Once active, Lirva will attempt to shut down all security programs such
 as antivirus and firewall software. It will search an infected hard drive
 for all HTML files in an attempt to locate e-mail addresses, then use its
 own SMTP engine to send copies of itself to those addresses. Unlike
 several recent viruses, such as Sircam, Lirva does not appear to spoof
 the sender's address.

Lirva will also open a browser and display an Avril Lavigne Web site.
MessageLabs points out that this may have the unintended effect of creating
a denial-of-service attack if several thousand infected PCs all try to
access the site at once.

Initial analysis suggests Lirva may also spread via IRC.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have
installed the Security Update and have installed the patch for the MS01-020
vulnerability in Internet Explorer should be safe from Lirva. Users who
have not upgraded to Outlook 2002 or who have not installed the patch for
the MS01-020 vulnerability should do so. In general, do not open attached
files in e-mail without first saving them to hard disk and scanning them
with updated antivirus software. Contact your antivirus vendor to obtain
the most current antivirus signature files that include MyLife.

Removal
A few antivirus software companies have updated their signature files to
include this worm. This will stop the infection upon contact and in some
cases will remove an active infection from your system. For more
information, see Central Command, McAfee, Sophos, and Trend Micro. E-mail
this story! Printer Friendly

--

--- BBBS/NT v4.01 Flag-4