-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.11  --  AUSCERT ALERT 
                              W32/Leave.B Worm
                                13 July 2001

===========================================================================

PROBLEM:  

	AusCERT has received reports of a new Win32 based worm that has
	been detected entering some Internet sites.  Leave.B, which is a
	variant of the Leave.A worm, has two methods of spreading.

	The first method by which the variant Leave.B spreads is by
	scanning for hosts that have been previously compromised and have
	had the SubSeven trojan horse program installed. SubSeven may have
	been installed by a user unknowingly running another piece of
	malicious software, or by an intruder exploiting a vulnerability
	in the system.

	The second method by which Leave.B spreads is via a fake virus
	warning email message crafted to look like a Microsoft Security
	Bulletin.  This fake bulletin directs the user to download a file
	which is claimed to be a patch from Microsoft, but is actually
	the Leave.B worm itself.

	The virus described is a hoax and the link to the "patch" does
	not point to Microsoft's server at all, but to a free hosting
	server. The supposed "patch" ("cvr58-ms.exe") is Win32.Leave.B
	worm.

	The fake message begins with the following text:

	**BEGIN FAKE MESSAGE** 

		Subject: Microsoft Security Bulletin MS01-037

		The following is a Security Bulletin from the Microsoft
		Product Security Notification Service.

		Please do not reply to this message, as it was sent from
		an unattended mailbox.

		********************************

		--------------------------------------------------------

		Title: Vulnerability in Windows systems allowing an upload
		of a serious virus.

		Date: 30 June 2001
		Software: Windows 2000
		Impact: Privilege Elevation
		Bulletin: MS01-037

	**END FAKE MESSAGE**

	There is a real Microsoft Security Bulletin MS01-037 which begins
	with the following text:

	**BEGIN REAL MICROSOFT BULLETIN**

		Subject: Microsoft Security Bulletin MS01-037
		From: Microsoft Product Security <secnotif@MICROSOFT.COM>
		Date: Thu, 5 Jul 2001 18:08:16 -0700 (Fri 11:08 EST)
		To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM

		The following is a Security  Bulletin from the Microsoft
		Product Security Notification Service.

		Please do not  reply to this message,  as it was sent from
		an unattended mailbox.

                    		********************************

		-----BEGIN PGP SIGNED MESSAGE-----

		- -
		- --------------------------------------------------------

		Title:      Authentication Error in SMTP Service Could
		            Allow Mail Relaying
		Date:       05 July, 2001
		Software:   Windows 2000
		Impact:     Mail Relaying
		Bulletin:   MS01-037

	**END REAL MICROSOFT BULLETIN**

	When the worm is executed, it copies itself into the Windows system
	directory (eg C:\WINDOWS or C:\WINNT) with the filenames REGSV.EXE
	and/or SERVICE.EXE.  Depending on the operating system version,
	the worm creates one of the registry keys and values of the
	following format.  This causes REGSV.EXE or SERVICE.EXE to run
	when Windows is started:

        Registry keys:
                HKEY_LOCAL_MACHINE\Software\Microsoft\
                Windows\CurrentVersion\Run

                HKEY_LOCAL_MACHINE\Software\Microsoft\
                Windows\CurrentVersion\RunServices

        Key values:
                  regsv = %windir%\regsv.exe

                  service = %windir%\service.exe


PLATFORM:

	Leave.B is a Win32 executable and poses a threat to Microsoft
	Windows operating systems that run Win32 (32-bit) applications.
	These systems include, but are not limited to Windows ME, Windows
	NT4 and Windows 2000.


IMPACT:

	Leave.B has the ability to download and run executable files from
	Web sites, scan IP addresses, and connect to IRC (Internet Relay
	Chat) servers and execute IRC commands.  The effect of this is
	that an intruder could execute arbitrary commands on the
	compromised hosts.  Additionally, the worm itself can create,
	move, delete, execute files on the infected computer.


RECOMMENDATIONS:


	A. Detection

	It is vital to check for the presence of both the worm and the
	existence of the SubSeven trojan horse program on potentially
	affected systems. This may be accomplished using a current version
	of an anti-virus program that is certified by the vendor to detect
	them.

	Variants of the worm may be using different filenames on the
	affected systems.  Check for the existence of C:\WINDOWS\Regsv.exe
	(or C:\WINNT\Regsv.exe on Windows NT and Windows 2000 systems) or
	C:\WINDOWS\Service.exe (or C:\WINNT\Service.exe on Windows NT and
	Windows 2000 systems).

	Microsoft security bulletins are cryptographically signed with
	PGP. Sites are strongly encouraged to validate the PGP signature
	on any security bulletin before following the enclosed information.


        B. Recovery

	If you detect that your system is already compromised, then
	you may need to instigate a full recovery procedure.

	You should keep in mind that if a machine is compromised,
	anything on that system could have been modified, including
	the kernel, binaries, datafiles, running processes, and
	memory.  In general, the only way to trust that a machine
	is free from backdoors and intruder modifications is to
	reinstall the operating system from the distribution media
	and install all of the security patches before connecting
	back to the network. Merely determining and fixing the
	vulnerability that was used to initially compromise this
	machine may not be enough.

	We encourage you to restore your system using known clean
	binaries.  In order to put the machine into a known state,
	you should re-install the operating system using the original
	distribution media.  You should also ensure that you have
	applied all relevant security fixes and patched all
	application software according the latest vendor information.

	For detailed information about recovering from a system compromise,
	there are several documents available from:

	http://www.auscert.org.au/Information/Auscert_info/papers.html

	eg. Windows NT Intruder Detection Checklist
	    Steps for Recovering from a UNIX or NT System Compromise

	which can provide some assistance.


	C. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or quarantine any email messages or
	attachments that resemble those described above or in the following
	links.

	D. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

	http://www.europe.f-secure.com/v-descs/leave.shtml
	http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_LEAVE.B
	http://www.symantec.com/avcenter/venc/data/w32.leave.b.worm.html
	http://www.sophos.com/virusinfo/analyses/w32leavea.html
	http://www.cai.com/virusinfo/encyclopedia/descriptions/l/leaveb.htm

	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO08iBih9+71yA2DNAQHnMAP/RpjjdtvtcnVA3qXbc3J8G3nAvFQbjBsg
45LW5J/F3ADjaypTsiCOfWSgGXiPesFvBuY9rKOnHZ/rmVUM3Gw868AE9Nogak6x
z6i3JEzOUCLyEE6EhBYfOaS+jfKIkwxGE+Fe4SShaWunxWWoO3XaNSa6mwwRSxzU
5PII90idCzc=
=nCNC
-----END PGP SIGNATURE-----