IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-014

"New Scanning Activity (with W32-Leave.worm) Exploiting SubSeven Victims"
June 23, 2001

The NIPC and FedCIRC have recently received information on attempts to locate, obtain control of and plant new malicious code known as "W32-Leave.worm" on computers previously infected with the SubSeven Trojan. This new activity, currently under investigation, further increases the importance that all users of Microsoft operating systems take precautions against infection by SubSeven Trojan variants, and, if infected, promptly implement the known procedures to remove the SubSeven infection.

SubSeven is a Trojan Horse that can permit a remote computer to gain complete control of an infected machine, typically by using Internet Relay Chat (IRC) channels for communications. The default ports for SubSeven to listen for network traffic are 16959/tcp and 27374/tcp, though the numbers can be changed. Full descriptions and removal instructions of a number of SubSeven variants can be found at various anti-virus firm web sites, including the following:

http://www.symantec.com
http://www.nai.com
(McAfee)
http://www.antivirus.com (Trend Micro)

Additional information about SubSeven can be found in NIPC Advisory 00-056 (www.nipc.gov/warnings/advisories/2000/00-056.htm).

The newly reported Leave activity is only effective against machines that remain infected with SubSeven. The attack uses the previously compromised SubSeven ports to place additional malicious code on the infected machines. The full impact of this new Leave infection and appropriate fixes are currently under investigation. The signature files needed to detect the presence of Leave can be found at anti-virus firm web sites, including those listed above.

As always, users are advised to keep their anti-virus software current by checking their vendor's web sites frequently for new updates, and to stay apprised of alerts from the NIPC, FedCIRC, CERT/CC and other cognizant organizations.

Recipients of this advisory are encouraged to report computer crime to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov. FedCIRC Operations Center can be reached at 1-888-282-0870 or fedcirc@fedcirc.gov.