Aliases: W32/Leave-B, I-Worm/Leave.B, WORM_LEAVE.B, W32/[email protected], Leave.B Internet Worm
Variants: W32.Leave.Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 09 Jul 2001
Damage: Low

Characteristics: W32.Leave.B.Worm is a worm that downloads components from websites. It contains a code to accept commands from IRC. This threat is quite similar to the W32.Leave.Worm. However, they download components from different websites. In addition, this threat is created to look like a security bulletin from Microsoft.

More details about W32.Leave.B.Worm

The worm W32.Leave.B.Worm arrives as an email message. The message appears as if it came from Microsoft as a security bulletin. The message contains: “Subject: Microsoft Security Bulletin MS01-037” and “Message: The following is a Security Bulletin from the Microsoft Product Security Notification Service…” The worm contains several components which include: Bin.dll, Registry.dll, Regsv.exe, Rg32.dll, and Aci32.dll. When Regsv.exe is executed, it creates copies of itself in the Windows folder as Regsv.exe and executes it. It then creates different registry keys and values. Afterwards, it removes the original Regsv.exe and creates the Aci32.dll file. This file contains the encrypted URL of the file to download. Lastly, under Windows 9x/Me, the worm alters the system and runs itself when files like Wab.Exe, Setup50.Exe, Defrag.exe.bot, Calc.Exe etc. are executed. It then listens to port 113.

The application is capable of downloading unnecessary files from the Internet. It communicates with remote servers to retrieve the files queued to be downloaded by the program. The W32.Leave.B.Worm application uses a backdoor program to establish connection with remote hosts. The backdoor application allows the program to gather additional components without the user’s knowledge. The W32.Leave.B.Worm application exploits the vulnerabilities found on the Windows operating system. These security flaws may come from installed programs or the web browser used on the computer. The openings may also be created by previously installed malware programs on the computer. These gaps on the computer’s security allow the application to download and execute files from the World Wide Web.