W32/Levona-B is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Levona-B spreads to other network computers.
W32/Levona-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Levona-B copies itself to:
<Common Files>\Renova.exe
<Windows>\regedit.exe
<Windows>\Mstry.exe
<System>\msconfig.exe
<System>\Alisa.exe
<System>\Emma.exe
<System>\Nova.exe
<System>\regedit.exe
The worm will search for logical drives on the computer. If any are found, W32/Levona-B will copy itself as New Folder.exe. The worm also searches the logical drives for DOC files and will copy itself as <document name>.doc.
W32/Levona-B includes the functionality to disable or minimize many applications by searching for certain words or phrases in the Windows Title Bar, including the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
The following registry entries are created to run Renova.exe and Nova.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<Common Files>\Renova.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe
The following registry entries are changed to run Renova.exe and Mstry.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msrun.exe
Debugger
<Windows>\Mstry.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOrganization
XENOVA
HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner
RENOVA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
XENOVA
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
RENOVA
Registry entries are created under:
HKCU\Identities\(D5A9171C-33E5-45AA-8DA6-0CA3468699C7)\
Software\Microsoft\Outlook Express\5.0\Mail\