CERT® Incident Note IN-2001-07The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
W32/Leaves: Exploitation of previously installed SubSeven Trojan HorsesRelease Date: July 3, 2001
The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine. This control includes the ability to read, modify, and delete confidential information. Additionally, the intruder may use the affected computer as a launching point for additional attacks (namely, denial of service).
While we believe that this level of intruder activity is not unusual, additional concern may be warranted in light of a new emerging class of "malware" such as W32/Leaves. W32/Leaves appears to be representative of a class of self-replicating, malicious code that automatically scans for hosts with these toolkits installed and leverages backdoors (i.e., SubSeven) for further malicious activity. An existing backdoor installed on a host by one intruder can now be used by another without any prior communication or intention for collaboration between intruders.
Additional analysis performed by the NIPC on W32/Leaves can be found at
MitigationIn order to protect against this class of attacks, the CERT/CC recommends installing defensive software.
If these protective measures reveal that the machine has already been compromised, more drastic steps need to be taken to recover. When a computer is compromised, any installed software could have been modified, including the operating system, applications, data files, and memory. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system from the distribution media and install vendor-recommended security patches before connecting back to the network. Merely identifying and fixing the vulnerability that was used to initially compromise the machine may not be enough.
For detailed information about recovering from a system compromise, please see our "Steps for Recovering from a UNIX or NT System Compromise" tech tip at
ReportingThe CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to email@example.com with the following text included in the subject line: "[CERT#28548]".
In addition, please see our explicit guidelines on reporting an incident at
Authors: Roman Danyliw, Chad Dougherty and Allen Householder
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
Getting security informationCERT publications and other security information are available from our web site
firstname.lastname@example.org. Please include in the body of your message
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
July 3, 2001: Initial Release