Avril Worm May Make Things Complicated

Anti-virus firm Sophos Wednesday warned of a new mass-mailing worm that pays tribute to Canadian pop singer Avril Lavigne.

An alert from Lynnfield, Mass.-based Sophos said the Avril/Livra (W32/Avril-A) worm was found in the wild piggybacking on known iFrame vulnerabilities in Microsoft Outlook.

Once executed, the worm opens the user’s IE browser on the official Avril Lavigne Web site on the 7th, 11th and 24th of the month, Sophos said. The worm uses the iFrames bug in Outlook to forward itself to all e-mail addresses in Outlook, regardless of whether the e-mail attachment is opened or not.

Microsoft has already patched the Outlook hole.

The ‘Avril’ worm uses the subject line Fw: Avril Lavigne – the best. Once the attachment is run, Sophos said the worm attempts to disable the user’s anti-virus software and takes over the infected screen with a series of colored ellipses. It also searches for e-mail addresses in all HTML files on an infected system and send copies of itself to those addresses.

System admins are urged to update corporate anti-virus software to detect and intercept the worm and suggested all Windows programs be blocked at corporate e-mail gateways. “Some e-mail applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not,” Sophos said.

It’s not the first time virus writers have targeted pop stars or celebrities with e-mail worms. In the past, viruses have used the names of singer/actress Jennifer Lopez, tennis player Anna Kournikova and even former president Bill Clinton.