Win32/Lefgroo is a family of worms that copy themselves to removable and network drives, and display messages.
When it runs, the worm makes copies of itself in the following location:
For example, it may be on your computer as:
It also creates a registry entry to ensure that it runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "HTML"
With data: "%windir%\profile\services.exe"
The worm may also copy itself to the root directory of all available drives as <Drive>:\musica.exe, and set the hidden and system file attributes.
Removable / Mapped drives
Lefgroo copies itself to any removable drives or mapped network shares, in the base directory as <Drive>:\musica.exe and sets hidden and system file attributes. It also checks for any sub directories on those drives, and if found, makes copies of itself under the directory with the same name, for example:
Note the worm usually uses the folder icon, which may trick the user into clicking on it. If you click on this folder icon, the worm will run.
The worm may display messages, such as the following:
It may also open the following websites in a full-screen browser window:
Modifies system settings
Variants of Lefgroo may also modify the following registry entries in an effort to help sustain it on your computer, and assist in delivering its payload.
It disables the system utility Task Manager by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
Lefgroo removes the Folder Options item from all Explorer menus and the Control Panel by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"
It modifies Internet Explorer settings my making the following change to the registry:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "FullScreen"
With data: "yes"
Analysis by Ray Roberts