Leena Virus

The virus is created using VB and have the size of 76 KB and use the MS Word icon. With the view that resembles MS Word document, the virus will spread easily, especially for general computer users that are less careful. If the virus is executed it will appear an MS Word file with any posts EMPTY-headed. After that Leena will make some parent are:
- C: \ Documents and Settings \% username%\Local Settings\Application Data \% user%. Task \ services.exe
- C: \ Documents and Settings \% username% \ Local Settings \ Temp \ lsass.exe
- C: \ Documents and Settings \ all users\ application data \ normal.exe
- C: \ Documents and Settings\All Users \Application Data \ leena.%% Running on infection
- C: \ Windows
- ExeServ.exe
- Leena.ini
- C: \ WIndoss \ system32 \ 3D Soccer.exe
- C: \ WIndoss \ system32 \ Av-Prev.exe
- C: \ WIndoss \ system32 \ controls.exe
- C: \ WIndoss \ system32 \ ex-plorer.exe
- C: \ WINDOWS \ System32 \ exerun.exe

As Leena support will make a string of registry,including:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonshell = Explorer.exe C:\WINDOWS\ExeServ.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command Default = C: \ WINDOWS \ System32 \ ExeRun "% 1"% *

In addition Leena will also create a schedule [Schedule Task] with the name of the directory Leena [C: \ Windows \ tasks \ leena] schedule task is made to run the master file that is located in the directory [C: \ WINDOWS \ System32 \ controls.exe ], where the schedule will be run every 08.15 hours each week.

Block the function of Windows and restart the computer. Leena to defend himself will try to shut some windows functions such as:
- Regedit
- Msconfig
- Folder option

The protection is made Leena will kill [restart] if the computer functions on the run. On the mode Safe Mode and Safe Mode with Command Prompt Leena will also remain active even though the computer booting mode safe mode or safe mode with command prompt, this is done to prevent the user to clean this virus.

The technique is realized with the following string in the registry:
- HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot\AlternateShell = C: \ WINDOWS \ System32 \ Av-Prev.exe
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon shell = Explorer.exe C: \ WINDOWS \ ExeServ.exe

Manipulate files. Exe to activate the virus

Be careful if your computer is infected with the virus, we recommend to immediately clean up with the antivirus program can mendeteksinya. Because Leena will try to switch every executable file to run itself (in background), and the application of the call will still be able to run as usual.

To do this, Leena will create the following string in the registry:
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command Default = C: \ WINDOWS \ System32 \ ExeRun "% 1"% *

Hide file MS.Word As done by the virus River, Leena will also try to hide the MS Word file and instead Leena will create duplicate files in accordance with the name of the file that is hidden, the virus file by Leena will have the characteristics:

- File Size 76 KB
- Extensi. EXE
- File Type "Application".

If you try to run the file that is infected with the Leena MS.Word program will appear with any posts EMPTY-headed.