W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
W32/Levona-A includes the functionality to disable or minimize many applications.
W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
When first run W32/Levona-A copies itself to:
<Common Files>\Renova.exe
<System>\Alisa.exe
<System>\Emma.exe
<System>\Nova.exe
The worm will search for logical drives on the computer. If any are found, W32/Levona-A will copy itself as New Folder.exe. The worm also searches the logical drives for DOC files and will copy itself as <document name>.doc.
W32/Levona-A includes the functionality to disable or minimize many applications by searching for certain words or phrases in the Windows Title Bar, including the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
The following registry entries are created to run Renova.exe and Nova.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<Common Files>\Renova.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe
The following registry entries are changed to run Renova.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entries are set, disabling system restore:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\ Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<Common Files>\Renova.exe