W32/Leave.worm.gen

Content

W32/Leave.worm.gen

Type: Virus
SubType: Internet Worm
Discovery Date: 06/22/2001
Length: Varies
Minimum DAT: 4145 (06/27/2001)
Updated DAT: 4241 (01/08/2003)
Minimum Engine: 5.1.00
Description Added: 06/23/2001
Description Modified: 09/21/2001 12:53 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

-- UPDATE July 17, 2001 --
A new variant of this worm, often using the filename, ms_v275657_x86_en.exe, was included in the 4148 DATs (released July 18).

There are three known components to this worm. BIN.DLL (22528 bytes) REGISTRY.DLL (54272 bytes) and an EXE (76800 bytes) which can have different names. All of these are packed with the UPX packer program.

When the EXE file is run, it copies itself to c:\WINDOWS\regsv.exe and creates a file called c:\WINDOWS\acI3.dll which contains what appears to be encrypted data. Note that though "c:\WINDOWS\" is used in this description, the directory may vary depending on what directory Windows was installed in.

It then creates the registry keys/valuse:

HKU\.Default\Software\Mirabilis\ICQ\Agent\Apps\icqrun="C:\WINDOWS\regsv.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\regsv="C:\WINDOWS\regsv.exe"

The following registry keys are created (which contain several subkeys which seem to be more encrypted data):

HKLM\SOFTWARE\Classes\Scandisk\i386\i\
HKLM\SOFTWARE\Classes\Scandisk\i386\s\

The EXE file also contains the master password to Subseven which it uses to infect other computers by running a portscan on multiple subnets, attempting to connect to TCP/IP port 27374. Once successfully connected to a Sub7 server, the worm files are copied to the remote system.

It also contains code to contact time servers and IRC servers, as well as download files over the web. Registry.dll also contains a mailing routine.

More recent variants of this worm also mail a bogus Microsoft Security Bulletin. Below is the actual mail message that is sent:

From: secnotif@MICROSOFT.COM
Subject:Microsoft Security Bulletin MS01-039
Message:

The following is a Security  Bulletin from the Microsoft Product Security Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended mailbox.
********************************

- ----------------------------------------------------------------------
Title:      Vulnerability in Windows systems allowing an upload of a serious
virus.
Date:       10 July 2001
Software:   Windows 2000
Impact:     Privilege Elevation
Bulletin:   MS01-039

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-039.asp
- ----------------------------------------------------------------------

Yesterday the internet has seen one of the first of it's downfalls. A virus (no name assigned yet) has been released. One with the complexity to destroy data like none seen before.

Systems affected:
=================
Microsoft Windows 95
Microsoft Windows 95b
Microsoft Windows 98
Microsoft Windows 98/SE
Microsoft Windows NT Enterprise
Microsoft Windows NT Workstation
Microsoft Windows Millenium Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Service packs up to Service Pack 6 for Windows NT 3/4 Systems.
Service pack 1 and 2 for windows 2000.

Issue:
======
Officials say this virus is unique in many ways. It spreads via new forms, such as using a new vulnerability in Windows 98 allowing already infected computers to upload (send files) to non-infected computers, this means that you do not have to download or visit a site to be infected with the virus. The infected computers are programmed to scan for computers running Windows 9x, and Windows 2000 and uploading the virus.

-What the virus does:

The virus itself is a threat to normal users aswell as businesses. Cooper from microsoft said "This virus has the ability to wipe out most of the internet users and the chances are it will, the risk is high, patches must be installed to affected systems." The virus itself is made for one reason and one reason only, to reproduce, destroy documents, delete mp3 files, movie files, infect .exe files, this virus also has a unique feature that destroys the BIOS (Basic Input Output System), which means ones that are infected would need to purchase a new otherboard.

Patch Availability:
===================
Visit
http://www.microsoft.com@[... url removed as it points to the worm itself] to download the patch named ms_v275657_x86_en.exe. Download and run the file.

Acknowledgment:
===============
- Jon McDonald (http://www.entrigue.net)
- Russ Cooper (http://www.ntbugtraq.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad
KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9
bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z
E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx
Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4
bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg==
=QExj
-----END PGP SIGNATURE-----

*******************************************************************
You have received  this e-mail bulletin as a result  of your registration to  the   Microsoft  Product  Security  Notification   Service.  You  may unsubscribe from this e-mail notification  service at any time by sending an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service please  visit  http://www.microsoft.com/technet/security/notify.asp.  For security-related information  about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security

Symptoms

Presence of ACI3.DLL or regsv.exe

Method of Infection

This worm scans systems for the presence of the Subseven/BackDoor-G trojan and infects them if found.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -