Aliases: W32/Lecna.A Worm
Variants: W32.Lecna.H, W32.Lecna.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 31 May 2006
Damage: Medium

Characteristics: W32.Lecna.A is a worm. It spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow described in Microsoft Security Bulletin MS04-011). The worm opens a backdoor and downloads remote files. It also uses a rootkit to hide its presence on the infected computer.

More details about W32.Lecna.A

When the worm W32.Lecna.A is executed, it creates the following files: explore.exe, MiniPCI.sys (A rootkit component), and DriverNum.dat. It also adds values to the registry and modifies it to ensure that it runs every Windows start p. The worm hides itself on the infected system by installing a rootkit driver named MiniPCI0. It even hides the real Internet Explorer process. It contacts certain websites and downloads the files: netscv.exe, netsvcs.exe, and netsvc.exe. It downloads updates to itself. Next, the worm opens a backdoor on the infected computer and allows an attacker to list, delete, download, and execute files. It also allows the attacker to list and end processes, enumerate network computers, exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability, and connect to the attacker's computer and transfer data using HTTP commands.

The W32.Lecna software may enter the system when the user downloads certain freeware applications. Freeware products may contain advertising components to earn revenue for the developer. Online advertisers use them to deliver marketing content straight to the end-user. It may be stated in the End User License Agreement (EULA) that users will receive advertisements in exchange for free use of the program. Downloader applications can also spread the advertising software. The program may place its files in a number of hidden folders. The exact location commonly varies for each installation. Random file names are also used. This allows the software to prevent detection. The processes are added to the system registry so they can run at startup.