Aliases: W32/Lecivio-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 25 May 2007
Damage: Low

Characteristics: W32.Lecivio is a worm. It spreads by copying itself to all mapped drives on an infected computer. It also downloads potentially malicious files on to the infected computer. These malicious files carry out dangerous actions on the infected computer.

More details about W32.Lecivio

The worm W32.Lecivio infects Windows systems and spreads by copying itself to all mapped drives. When executed, the worm may create any of the following files in the Windows System folder: cmdial.exe, viollice.exe, userinit.exe, inf.exe, of.ico, dnandlk.exe, dpnmodempl.dll, or rpcss.exe. It may also create GOKU.exe in C: and Microsoft Office.lnk in C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder. The worm then creates autorun.inf and inf.exe in the root of all drives. This includes removable drives. It modifies the registry to ensure its automatic execution at every Windows startup. It also creates additional registry entries and registry subkeys. The malicious worm also attempts to download and execute potentially malicious files from the Internet. It can connect to the Internet, hide from the user, and stay resident in background.

The W32.Lecivio application is commonly obtained by unsuspecting users via drive-by download. Users may acquire the program while visiting unreliable web domains on the Internet. These websites may contain clickable objects which may trigger the installation script of the application. These embedded items may take the form of pop-ups, pop-unders, side bars or embedded links on the encrypted web page. The installation of the program is initiated once the user clicks on these embedded objects.