|
|
Worm.Win32.Leav Viruses Information
| Name: |
Worm.Win32.Leav |
| Category: |
Viruses |
| Description:
|
Details
Worm.Win32.Leave
This is an Internet worm that spreads through vulnerable machines. The worm works under Win32 systems only. The worm functionality is based on a special script language that allows a remote host to manage infected machines. The worm also is able (due to these special script programs) to download and activate more components (plugins). As a result, the worm is able to "upgrade" itself from Internet Web sites.
When a main worm component is run, it copies itself to the Windows directory with the REGSV.EXE name and registers that file in the auto-run registry keys. These keys depend on the Windows version (Win9x or WinNT) and appear as follows:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
regsv = %windir%regsv.exe
HKCUSoftwareMirabilisICQAgentApps
icqrun = %windir%regsv.exe
The worm then stays as a hidden (service) process in Windows memory and is active until the next Windows shutdown.
Spreading
The main worm components contain a text string that is a SubSeven backdoor master password. So, the worm may attack remote machines already infected by SubSeven backdoor, and install itself to there.
To obtain victim-machine addresses, the worm uses a sniffing (scanning) routine that follows scripts (see below) and scans the Internet for IP addresses of remote machines.
Script Language
The worm script language is quite powerful. It allows the worm to do the following:
download from Web sites and spawn other EXE files (worm plugins)
scan IP addresses by requested mask
connect to IRC servers and execute IRC commands
create, move, delete, execute files on an infected machine
etc.
The scripts are downloaded by the worm from different Web sites, for example:
http://leavemealoneeeeeeeee.50megs.com
http://k000001.50megs.com
http://slinky.50megs.com
http://h0h0h0.home.dk3.com
http://h0h0h0.spites.com
http://love50gb.50megs.com
http://tonyjameshanks-sux.50megs.com
http://bababuhtml.50megs.com
http://zxcvbnm.com
and from others.
The script commands in there are encrypted by a 64-bit block cipher. When the worm obtains a script from there first, it decrypts it and then follows the script instructions.
The worm also contains in its code a default script (that is also encrypted). That script is dropped to the Windows directory with the ACI3.DLL name.
When scripts are accepted, the worm also stores them in encrypted form in Registry keys:
HKLMSOFTWAREClassesScandiski386i
HKLMSOFTWAREClassesScandiski386s
DoS Attack
The worm performs a DoS attack (Denial of Service) to the following sites:
www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Fred.65
AP.NightCit
Tupac.130
Macro.Word97.Antimar
Tox.20
Angel
not-a-virus:AdWare.Look2Me.a
Holms.616
Trojan-Downloader.Win32.Agent.r
Win95.Anxiety.182
|
|
