This worm looks for systems already infected with SubSeven, then exploits the backdoor Trojan horse with new code.
The National Infrastructure Protection Centre (NIPC) has issued a warning of a new Internet worm that compromises systems previously affected by the SubSeven Trojan horse. The Leave worm (w32.leave.worm) places additional code on computers already infected with SubSeven. Because Trojans lurk in the background and run without the user's knowledge, NIPC is encouraging everyone to scan their PCs with the latest antivirus signature updates. At this time, there have been only a handful of Leave infections reported to antivirus vendors. Leave currently ranks as a 5 on the ZDNet Virus Meter.
How it works
Leave contains three components: Bin.dll, Registry.dll, and an EXE file. When the EXE file is opened, Leave makes changes to the Windows system registry, adding what appears to be encrypted registry keys. Leave also contains code to connect to IRC servers, time servers, and can therefore download additional files. Leave checks to see if the computer is online by attempting to access popular Web sites such as yahoo.com. If the infected computer is online, Leave attempts to contact other Web sites to download more code. At least one of these additional sites has been shut down. Bin.dll infects several standard Windows programs such as calc.exe and regedit.exe. Registry.dll may contain a mass mailing routine. At this time, Leave does not contain a destructive payload.
7%
3%
