Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 14 May 2007
Damage: Medium

Characteristics: W32.Neela is usually introduced to the network using removable devices or USB drives activated by autorun.inf. As such, it creates an autorun.inf file on all mapped drives so that the threat automatically opens when the drive is logged on. It oversees and monitors all the drives connected to the infected computer. It automatically generates “autorun.inf” on all accessible drives. It affects all windows platforms namely, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. It may also try to disable antivirus applications.

More details about W32.Neela

File creation is also another tactic of this worm to propagate; thus creating files namely index.dat, Word Template.LNK, csrss.exe, lsass.exe, services.exe, smss.exe, winlogon.exe, 2.doc, lsass.doc, services.doc, winlogon.doc, smss.doc, Normal.exe, execute.exe, At1.job, leena.job, aneel.exe, l33na.exe, leena.ini, Normal.zip, Administrator task, Word Template, leena.12-5-2007 and Read This.exe. The worm also modifies registry keys so that the worm will start every time the window starts. Another recognizable symptom of this virus is that it displays a text in Microsoft Word document saying, “The worm then displays the following text in a leena...” Saat terindah miliki dirimu..”Hanya saat mataku terpejam,dan berkhayal memilikimu.”Pernahkah kau memimpikanku,impikan kita??” Hingga semua ini seakan nyata,” and “Salam sayang selalu untukmu.” It also tries to add this text on word documents every Sunday, “Leena, I love you, Magelang,10-06."

The W32.Neela program may enter the system when downloader applications add them. They may be downloaded from a remote server then installed and executed. The user may also receive it in an e-mail from an unknown sender. The program could be labeled as a software patch, e-card, screensaver or Flash presentation. Users are commonly instructed to open an attached file or click on a link to view it. The W32.Neela application may be added to the system by downloader programs. It may also be uploaded on file sharing networks and websites. Drive-by-downloads can also spread the software.