Home / malwarePDF  

Win32/Lefgroo


First posted on 09 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Lefgroo.

Explanation :



Win32/Lefgroo is a family of worms that copy themselves to removable and network drives, and display messages.



Installation

When it runs, the worm makes copies of itself in the following location:

%windir%\profile

For example, it may be on your computer as:

  • %windir%\profile\susoft.exe
  • %windir%\profile\services.exe


It also creates a registry entry to ensure that it runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "HTML"
With data: "%windir%\profile\services.exe"

The worm may also copy itself to the root directory of all available drives as <Drive>:\musica.exe, and set the hidden and system file attributes.

Spreads via...

Removable / Mapped drives

Lefgroo copies itself to any removable drives or mapped network shares, in the base directory as <Drive>:\musica.exe and sets hidden and system file attributes. It also checks for any sub directories on those drives, and if found, makes copies of itself under the directory with the same name, for example:

C:\Folder\Folder.exe

Note the worm usually uses the folder icon, which may trick the user into clicking on it. If you click on this folder icon, the worm will run.



Payload

Displays messages

The worm may display messages, such as the following:







It may also open the following websites in a full-screen browser window:

  • groups.msn.com/<removed>suazo
  • metroflog.com/<removed>suazo
  • sexyono.com


Modifies system settings

Variants of Lefgroo may also modify the following registry entries in an effort to help sustain it on your computer, and assist in delivering its payload.

It disables the system utility Task Manager by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"

Lefgroo removes the Folder Options item from all Explorer menus and the Control Panel by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"

It modifies Internet Explorer settings my making the following change to the registry:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "FullScreen"
With data: "yes"



Analysis by Ray Roberts

Last update 09 January 2013

 

TOP

Malware :