IT@TT - Online

Falling leaves turn to worms

There's another dangerous germ in cyber town. I foresee a rash of infections in India within a 10-14 day period. We are like that; always. The W32/Leave.worm has three components: BIN.DLL (22528 bytes); REGISTRY.DLL (54272 bytes) and a .EXE (76800 bytes) file which has random filenames. All have been packed using UPX packer.

This is an open-source extendable, high-performance executable packer which achieves an excellent compression ratio and very fast decompression. And is a much-loved tool of Trojan developers.

Running the EXE portion of the worm causes it to copy itself to \WINDOWS\regsv.exe. It also creates \WINDOWS\acI3.dll which contains encrypted data. This example uses "\WINDOWS\" but the actual folder name depends on the directory in which Windows is installed. The worm subsequently creates the registry keys "HKU\.Default\Software\Mirabilis\ICQ\Agent\Apps\icqrun="C:\WINDOWS\regsv.exe" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\regsv="C:\WINDOWS\regsv.exe"

The worm also creates registry keys with several subkeys that appear to be encrypted, "HKLM\SOFTWARE\Classes\Scandisk\i386\i\" and "HKLM\SOFTWARE\Classes\Scandisk\i386\s\".

What makes the Leave.worm EXE so dangerous is that its actually a cover for the destructive Subseven Trojan. Leave includes the latter's master password. And can contact both contact time and IRC servers, plus download files over the web. The REGISTRY.DLL also contains a mailing routine to help spread the worm!

This worm affects Win 9x/ME users and alters the system to run itself when these files are executed: \Outlook Express\Wab.Exe, Setup50.Exe, Wabmig.Exe or Msimn.Exe; \Mediaring Talk 99\Talk99.Exe; \Napster\Napster.Exe; \Messenger\Msmsgs.Exe; \Internet Explorer\Connection Wizard\Icwconn1.Exe; %Windows%\System\Restore\Rstrui.Exe; %Windows%\Defrag.Exe,Bot, Sndvol32.Exe, Calc.Exe, Kodakimg.Exe, Cleanmgr.Exe, Scandskw.Exe, Ipconfig.Exe.Exe, Wupdmgr.Exe.Exe, Regedit.Exe, Rundll.Exe, Sysmon.Exe, Taskmon.Exe, Notepad.Exe, Control.Exe; \Accessories\Mspaint.Exe or Wordpad.Exe. The worm listens on Port 113.

If you can find ACI32.DLL or any of the files mentioned above, the chances of your PC being infected are high. The Worm scans systems for the Subseven/BackDoor-G Trojan and only launches itself if it find this Trojan.

Do note that Regsv.exe is a Windows system file. However, the virus will overwrite this file with its own infected version.

To remove the virus, delete the listed registry keys. As also the listed files. Win ME users need to disable their system restore utility first. That's because the system may be storing a protected version of the Trojan in its database. To disable the Restore Utility, right click My Computer, and select Performance|File System|Troubleshooting. Enable the "Disable System Restore" check box and click Apply. Then click Close twice after which you are prompted to restart your PC. Now restart in Safe Mode and use your antivirus program to specifically scan files in the C:\_Restore folder. Remove any infected file's. Then restart the PC. To re-enable Restore, disable the "Disable System Restore" check box.

Govind Menon
[email protected]

Top

Other Articles