Leave Worm
Aliases: W32.Leave, IWorm_Leave, I-Worm.Leave, Worm.Leaveme

According to reports from F-Secure, Leave exhibits the following characteristics:

Type: Internet Worm
Systems Affected: Windows 32-bit systems
Payload: Allows remote host to manage infected computers. Can move, delete, download, and copy files on the affected machine.
ITW: Yes
Origin:
Description: The Leave worm is based on a special script language that allows the remote host to manage infected computers. Via the special script programs, the worm is also able to download and activate more components (plugins). As a result the worm is able to "upgrade" itself from Internet Web sites.

When a main worm component is run it copies itself to the Windows directory with the name REGSV.EXE and registers the value "e;regsv = %windir%\regsv.exe" as follows:

Win9x/ME:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Windows NT/2000:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm also modifies the following registry key:

HKCU\Software\Mirabilis\ICQ\Agent\Apps
to add the value "icqrun = %windir%\regsv.exe"

The worm then stays as a hidden (service) process in Windows memory and is active untill next Windows shutdown.

The main worm component contains a text string that is SubSeven backdoor master password. So the worm may attack remote systems already infected by SubSeven backdoor, and install itself there. To get addresses of victims' machines the worm uses a sniffing (scanning) routine that follows scripts (see below) and scans the Internet for IP addresses of remote computers.

The worm's script language is quite powerful. It allows the worm to do the following:

 - download from Web sites and run EXE files (worm plugins)
 - scan IP addresses by requested mask
 - connect to IRC servers and execute IRC commands
 - create, move, delete, execute files on affected computer The scripts are downloaded by the Leave worm from different Web sites. (Known sites have been shutdown by authorities). The Leave worm launches DoS (Denial of Service) attacks from the infected system(s) to the following sites:

www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com

In the beginning of July 2001 someone sent out a fake Microsoft® Security Bulletin. That bulletin had a Microsoft-like download URL inside:

www.microsoft.com@%32%30%37%2E%38%39%2E%31...

The URL pointed to a fake patch program named: cvr58-ms.exe which was a variant of Leave worm. In mid-July, a second fake Microsoft Security Bulletin® was discovered in distribution. Again, a misleading link was provided, this time pointing to a file named ms_v275657_x86_en.exe. In both cases, the bogus warnings advised users to download and run the file - those who did so would then be infected with the Leave worm (or a variant).