Aliases: W32/Leebad-A
Variants: Worm.Win32.Leebad.C, W32/Leebad-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 05 Aug 2004
Damage: Low

Characteristics: W32.Leebad is a worm. It logs keystrokes and spreads by copying itself to the root of mapped drives. It was spotted August 5, 2004 and infects Windows systems.

More details about W32.Leebad

W32.Leebad is a worm that logs keystrokes. It spreads by copying itself to the root of mapped drives. When the worm is executed, it copies itself to the root of each mapped drive as the following files: system32.exe and system32dll.dll. The worm requires both of these files to be able to run. After copying itself, it drops the files admin.bat and autorun.inf. The file admin.bat is a batch file that adds an administrator named "lee" to the infected computer. It has the password "[email protected]#". The file autorun.inf is a file that starts the worm whenever the root of the drive is viewed in Windows Explorer. Then, the worm logs keystrokes and monitors the system for windows with certain Chinese names.

The W32.Leebad program may enter the system through network shares. An infected file may be placed in shared folders or resources. It may be saved with a file name similar to that of legitimate processes. Once the W32.Leebad application has been installed, it will create a backdoor. It searches for unused ports and randomly opens one. This will be used to connect to the Internet. The software will then notify the remote server that the installation has been completed.