Bogus Patch "leaves" Backdoor Open

10 Jul 2001
Virus News

An Internet Worm "Leave" Spreads in the Form of Security Patch to Windows

Kaspersky Lab, an international data-security software development company, warns users of the discovery of a new version of the Internet worm I-Worm.Leave that spreads as a message from Microsoft. The message contains information about a security patch for Windows and displays a bogus URL. Upon opening, the virus attempts to download a cvr58-ms.exe file that is in fact a Trojan.

The worm works under systems operating Windows 95/98/ME and Windows 2000 only. When the main worm component is run, it copies itself to the Windows directory with the REGSV.EXE name and registers that file in the auto-run registry keys.

"Leave's" malicious peculiarities allow it to automatically update via the Internet, and, unbeknownst to the user, to activate additional EXE-file components, allowing for the remote control of an infected computer. Amongst the other functions of "Leave," in part, is to connect to IRC servers and execute IRC commands, create, move, delete, execute files on an infected machine etc.

The main worm's components contain a text string that is a SubSeven backdoor master password. So, the worm may attack remote machines already infected by SubSeven backdoor, and install itself there. To obtain victim-machine addresses, the worm uses a scanning routine and scans the Internet for IP addresses of remote machines.

Detection and treatment for "Leave" have already been added to the Kaspersky Lab anti-virus database.

For a more in-depth description of "Leave," visit the Kaspersky Lab virus encyclopedia.