The mass-mailing worm W32.Lirva.A, first discovered earlier this week, was upgraded Thursday by Symantec Security Response from a Category 2 threat to Category 3. The company says this is due to an increase in submissions.

W32.Lirva.A also spreads by the IRC, ICQ, KaZaA, and open network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer.

When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email.

Information on this vulnerability and a patch can be found here.

If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop. Systems affected are: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP and Windows ME. Systems not affected are: Macintosh, OS/2, UNIX and Linux.

See full story here.

Worm Risk Ranked Medium By Trend Micro

Trend Micro has given the worm, which also uses the aliases LIRVA.C, I-Worm.Avron.b, andWin32/Naith.C@mm, a medium security risk rating with a high damage and distribution rating.

However, so far reported infections are few. The worm does not require the email receiver to open the attachment for it to execute. It uses a vulnerability in Internet Explorer-based email clients to execute the file attachment automatically, known as Automatic Execution of Embedded MIME type.

Find out what appears in the subject line and body of text here.

F-Secure: LIRVA Spreading Faster Than Expected

The LIRVA worm continues to spread worldwide at a steady pace, with the new version, LIRVA.B, found Thursday, according to F-Secure.

The company believes LIRVA.B is spreading even faster than LIRVA.A. The new version tries to download a backdoor from a Web site, the company reports.

Worth noting: LIRVA.B fakes the sender address of infected e-mails, replacing the address of the infected user with the e-mail address of a random innocent bystander. The e-mail address of the infected user can often be found from the e-mail's "Return-Path" header. For more information, visit this F-Secure page.

McAfee Also Finds Growing LIRVA Risk

Security software vendor McAfee is also classifying LIRVA as a medium risk worm due to the increased prevalence in the last 24 hours and the two variants that have been discovered.

Read about the virus characteristics, indications of infection and removal instructions on this McAfee page.