W32/Leave-A

Category: Viruses and Spyware Protection available since:26 Jun 2001 00:00:00 (GMT)
Type: Win32 worm Last Updated:26 Jun 2001 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Leave-A is a worm which affects machines already infected with Troj/Sub7 backdoor server program.

When the worm is run, it copies itself into the Windows system directory with the filename REGSV.EXE. Depending on the operating system version, the worm creates one of the following registry keys so that REGSV.EXE is run when Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

or

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm attempts to find out if the infected computer is online by checking for the presence of well-known domains such as altavista.com or yahoo.com. If it finds one of these domains, the worm attempts to download a few HTML files from URLs that were presumably setup by the virus writer.

The worm has at least three components: REGSV.EXE, REGISTRY.DLL and BIN.DLL. BIN.DLL is used to infect several programs that are part of the standard Windows installation, such as CALC.EXE or REGEDIT.EXE. REGISTRY.DLL contains an SMTP engine which could be used for sending email messages.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy