Classification

Category :

Malware

Type :

Worm

Aliases :

Leave, IWorm_Leave, I-Worm.Leave, Worm.Leaveme

Summary

Leave is an Internet worm spreading through vulnerable machines. The worm works under Win32 systems only. The worm functionality is based on a special script language that allows remote host to manage infected computers. The worm also is able (due to these special script programs) to download and activate more components (plugins). As a result the worm is able to "upgrade" itself from Internet Web sites.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When a main worm component is run it copies itself to Windows directory with REGSV.EXE name and registers that file in auto-run registry keys. These keys depend on Windows version (Win9x or WinNT) and look as follows:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
 regsv = %windir%\regsv.exe
 HKCU\Software\Mirabilis\ICQ\Agent\Apps
 icqrun = %windir%\regsv.exe

The worm then stays as a hidden (service) process in Windows memory and is active untill next Windows shutdown.

The main worm components contains a text string that is SubSeven backdoor master password. So the worm may attack remote systems already infected by SubSeven backdoor, and install itself there.

To get addresses of victim's machines the worm uses sniffing (scanning) routine that follows scripts (see below) and scan Internet for IP addresses of remote computers.

The worm's script language is quite powerful. It allows the worm to do the following:

 - download from Web sites and run EXE files (worm plugins)
- scan IP addresses by requested mask
- connect to IRC servers and execute IRC commands
- create, move, delete, execute files on affected computer
- e.t.c.

The scripts are downloaded by worm from different Web sites, for example:

 http://leavemealoneeeeeeeee.50megs.com
http://k000001.50megs.com
http://slinky.50megs.com
http://h0h0h0.home.dk3.com
http://h0h0h0.spites.com
http://love50gb.50megs.com
http://tonyjameshanks-sux.50megs.com
http://bababuhtml.50megs.com
http://zxcvbnm.com

and from several others.

The script commands in there are encrypted with 64 bits block cipher. When the worm gets a script from there it first decrypts it and then follows script instructions.

The worm also contains in its code a default script (that is also encrypted). That script is dropped to Windows directory with ACI3.DLL name.

When scripts are accepted, the worm also stores them in encrypted form in Registry keys:

HKLM\SOFTWARE\Classes\Scandisk\i386\i\
HKLM\SOFTWARE\Classes\Scandisk\i386\s\

The worm performs DoS attack (Denial of Service) to following sites:

 www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com

In the beginning of July 2001 someone sent out a fake Microsoft Security Bulletin. That bulletin had a Microsoft-like download URL inside:

 www.microsoft.com@%32%30%37%2E%38%39%2E%31...

The URL pointed to a fake patch program named: cvr58-ms.exe which was a variant of Leave worm.