W32/Levona-B

Aliases	Email-Worm.Win32.Levona.a W32/Avon@MM virus
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	13 November 2006 05:09:41 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Levona-B is a mass-mailing worm and backdoor Trojan for the Windows platform.

W32/Levona-B spreads to other network computers.

W32/Levona-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

When first run W32/Levona-B copies itself to:

<Common Files>\Renova.exe
<Windows>\regedit.exe
<Windows>\Mstry.exe
<System>\msconfig.exe
<System>\Alisa.exe
<System>\Emma.exe
<System>\Nova.exe
<System>\regedit.exe

The worm will search for logical drives on the computer. If any are found, W32/Levona-B will copy itself as New Folder.exe. The worm also searches the logical drives for DOC files and will copy itself as <document name>.doc.

W32/Levona-B includes the functionality to disable or minimize many applications by searching for certain words or phrases in the Windows Title Bar, including the following security related ones:

ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER

The following registry entries are created to run Renova.exe and Nova.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<Common Files>\Renova.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe

The following registry entries are changed to run Renova.exe and Mstry.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msrun.exe
Debugger
<Windows>\Mstry.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Common Files>\Renova.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "<Common Files>\Renova.exe"

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").

The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and system restore:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOrganization
XENOVA

HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner
RENOVA

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0

HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
XENOVA

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
RENOVA

Registry entries are created under:

HKCU\Identities\(D5A9171C-33E5-45AA-8DA6-0CA3468699C7)\
Software\Microsoft\Outlook Express\5.0\Mail\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

W32/Levona-B

Summary

Action

More Information