Leave is an Internet worm spreading through vulnerable machines.
The worm works under Win32 systems only. The worm functionality
is based on a special script language that allows remote host to
manage infected computers. The worm also is able (due to these
special script programs) to download and activate more components
(plugins). As a result the worm is able to "upgrade" itself from
Internet Web sites.
When a main worm component is run it copies itself to Windows
directory with REGSV.EXE name and registers that file in auto-run
registry keys. These keys depend on Windows version (Win9x or
WinNT) and look as follows:
regsv = %windir%\regsv.exe
icqrun = %windir%\regsv.exe
The worm then stays as a hidden (service) process in Windows
memory and is active untill next Windows shutdown.
The main worm components contains a text string that is SubSeven
backdoor master password. So the worm may attack remote systems
already infected by SubSeven backdoor, and install itself there.
To get addresses of victim's machines the worm uses sniffing
(scanning) routine that follows scripts (see below) and scan
Internet for IP addresses of remote computers.
The worm's script language is quite powerful. It allows the worm
to do the following:
- download from Web sites and run EXE files (worm plugins)
- scan IP addresses by requested mask
- connect to IRC servers and execute IRC commands
- create, move, delete, execute files on affected computer
The scripts are downloaded by worm from different Web sites, for
and from several others.
The script commands in there are encrypted with 64 bits block
cipher. When the worm gets a script from there it first decrypts
it and then follows script instructions.
The worm also contains in its code a default script (that is also
encrypted). That script is dropped to Windows directory with
When scripts are accepted, the worm also stores them in encrypted
form in Registry keys:
The worm performs DoS attack (Denial of Service) to following
In the beginning of July 2001 someone sent out a fake Microsoft
Security Bulletin. That bulletin had a Microsoft-like download
The URL pointed to a fake patch program named: cvr58-ms.exe which
was a variant of Leave worm.
F-Secure Anti-Virus with the latest updates detects all known
variants of Leave worm.
[Analysis: Eugene Kaspersky; KL, July 2001]