Worm.Win32.Leave

tag:Internet Worms

0 0

This is an Internet worm that spreads through vulnerable machines. The worm works under Win32 systems only. The worm functionality is based on a special script language that allows a remote host to manage infected machines. The worm also is able (due to these special script programs) to download and activate more components (plugins). As a result, the worm is able to "upgrade" itself from Internet Web sites.

When a main worm component is run, it copies itself to the Windows directory with the REGSV.EXE name and registers that file in the auto-run registry keys. These keys depend on the Windows version (Win9x or WinNT) and appear as follows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
regsv = %windir%\regsv.exe

HKCU\Software\Mirabilis\ICQ\Agent\Apps
icqrun = %windir%\regsv.exe

The worm then stays as a hidden (service) process in Windows memory and is active until the next Windows shutdown.

Spreading

The main worm components contain a text string that is a SubSeven backdoor master password. So, the worm may attack remote machines already infected by SubSeven backdoor, and install itself to there.

To obtain victim-machine addresses, the worm uses a sniffing (scanning) routine that follows scripts (see below) and scans the Internet for IP addresses of remote machines.

Script Language

The worm script language is quite powerful. It allows the worm to do the following:

download from Web sites and spawn other EXE files (worm plugins)
scan IP addresses by requested mask
connect to IRC servers and execute IRC commands
create, move, delete, execute files on an infected machine
etc.

The scripts are downloaded by the worm from different Web sites, for example:

http://leavemealoneeeeeeeee.50megs.com
http://k000001.50megs.com
http://slinky.50megs.com
http://h0h0h0.home.dk3.com
http://h0h0h0.spites.com
http://love50gb.50megs.com
http://tonyjameshanks-sux.50megs.com
http://bababuhtml.50megs.com
http://zxcvbnm.com

and from others.

The script commands in there are encrypted by a 64-bit block cipher. When the worm obtains a script from there first, it decrypts it and then follows the script instructions.

The worm also contains in its code a default script (that is also encrypted). That script is dropped to the Windows directory with the ACI3.DLL name.

When scripts are accepted, the worm also stores them in encrypted form in Registry keys:

HKLM\SOFTWARE\Classes\Scandisk\i386\i\
HKLM\SOFTWARE\Classes\Scandisk\i386\s\

DoS Attack

The worm performs a DoS attack (Denial of Service) to the following sites:

www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com

previous:Worm.Win32.Ladex.a
previous:Worm.Win32.Lemoor.a

Virus Source from:

New articles

Net-Worm.Win32.Kido.irThe kido worm family creates files autorun.inf and RECYCLED{SID<....>}RANDOM_NAME.vmx on removable drives (sometimes on public network shares) Net-Worm...MS10-061MS10-061 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in the Windows Print Spooler service on Wind...MS10-062MS10-062 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in MPEG-4 codec on Windows 2008/vISTA/2003/XP computers, wh...MS10-063MS10-063 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in the Unicode Script Processor on Windows 2...Autorun.AOLAdditionally, it has backdoor characteristics, as it attempts to connect to an IRC channel in order to receive instructions from its creator, such as downloadin...

Hot Articles

Worm.Win32.Leave

Computer Virus Clounds