W32.Leave.Worm

SUMMARY

Due to a decrease in submissions, this worm has been downgraded from a Threat Level 3 to a 2.

This worm downloads components from Web sites and contains code to accept commands from IRC.

Protection

• Virus Definitions (Intelligent Updater) June 24, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: 3 - 9
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

There are several components to this worm, including:

• Bin.dll
• Registry.dll
• Regsv.exe
• Rg32.dll
• Aci32.dll

When Regsv.exe is run, it copies itself to the Windows folder as Regsv.exe and then runs it. It then creates various registry keys and values, depending on the operating system on which it is running:

• Windows NT/2000:
  It adds the value
  
  regsv   C:WINDOWSegsv.exe
  
  to the key
  
  HKEY_LOCAL_MACHINESoftwareMicrosoft
  WindowsCurrentVersionRun

• Windows 9x/Me:
  It adds the value
  
  regsv   C:WINDOWSegsv.exe
  
  to the key
  
  HKEY_LOCAL_MACHINESoftwareMicrosoft
  WindowsCurrentVersionRunServices

In addition, for all operating systems:

• It adds the value
  
  icqrun   C:WINDOWSegsv.exe
  
  to the key
  
  HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps
  
• It creates the keys
  
  HKEY_LOCAL_MACHINESoftwareClassesScandiski386i
  
  HKEY_LOCAL_MACHINESoftwareClassesScandiski386s

The i key contains information values, such as the original file name and some passwords.
The s key contains an encrypted list of Web sites from which files can be downloaded, and a list of time servers.

Next, it deletes the original Regsv.exe and creates the Aci32.dll file, which contains the encrypted URL of the file to download.

Finally, under Windows 9x/Me the worm alters the system to run itself when any of the following files are executed:

• C:Program FilesOutlook ExpressWab.Exe
• C:Program FilesOutlook ExpressSetup50.Exe
• C:Program FilesOutlook ExpressWabmig.Exe
• C:Program FilesOutlook ExpressMsimn.Exe
• C:Program FilesMediaring Talk 99Talk99.Exe
• C:Program FilesNapsterNapster.Exe
• C:Program FilesMessengerMsmsgs.Exe
• %Windows%SystemRestoreRstrui.Exe
• C:Program FilesInternet ExplorerConnection WizardIcwconn1.Exe
• %Windows%Defrag.Exe,Bot
• %Windows%Sndvol32.Exe
• %Windows%Calc.Exe
• %Windows%Kodakimg.Exe
• %Windows%Cleanmgr.Exe
• %Windows%Scandskw.Exe
• C:Program FilesAccessoriesMspaint.Exe
• %Windows%Ipconfig.Exe.Exe
• %Windows%Wupdmgr.Exe.Exe
• %Windows%Regedit.Exe
• %Windows%Rundll.Exe
• %Windows%Sysmon.Exe
• %Windows%Taskmon.Exe
• %Windows%Notepad.Exe
• %Windows%Control.Exe
• C:Program FilesAccessoriesWordpad.Exe

It listens on port 113.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Leave.worm.
4. If you delete any of the system files that are mentioned in the list in the previous section, you should restore them from the Windows installation CD.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a qualified computer technician for more information.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following key:
   
   HKEY_CURRENT_USERSoftwareMirabilis
   ICQAgentApps
   
4. In the right pane, look for and select the value
   
   icqrun   C:WINDOWSegsv.exe
   
5. Press Delete, and then click Yes to confirm.
6. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESoftwareClassesScandisk
   
7. This entire subkey has been created by the worm and can be deleted. Insure that you have selected the Scandisk key and that it is highlighted.
8. Press Delete, and then click Yes to confirm.
9. Follow the instructions for your version of Windows
   • Windows NT/2000
     1. Navigate to and select the following key:
        
        HKEY_LOCAL_MACHINESoftwareMicrosoft
        WindowsCurrentVersionRun
        
     2. In the right pane, look for and select the value
        
        regsv   C:WINDOWSegsv.exe
        
     3. Press Delete, and then click Yes to confirm.
   • Windows 9x/ME
     1. Navigate to and select the following key:
        
        HKEY_LOCAL_MACHINESoftwareMicrosoft
        WindowsCurrentVersionRunServices
        
     2. In the right pane, look for and select the value
        
        regsv   C:WINDOWSegsv.exe
        
     3. Press Delete, and then click Yes to confirm.
        
10. Exit the registry editor.