This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Medium to high
Methods of propagation:
• Local network
• Symantec: W32.Reatle.D@mm
• Mcafee: W32/Reattle.gen.gen
• Kaspersky: Net-Worm.Win32.Lebreat.gen
• TrendMicro: WORM_REATLE.D
• Sophos: W32/Lebreat-D
• Panda: W32/Lebreat.F.worm
• VirusBuster: I-Worm.Lebreat.C
• Bitdefender: Win32.Worm.Bretle.D
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Blocks access to security websites
• Drops files
• Uses its own Email engine
• Registry modification
It copies itself to the following locations:
The archive contains a copy of the malware itself.
The following files are created:
– It creates the following archive containing a copy of the malware:
– A file that contains collected email addresses:
The following registry key is added in order to run the process after reboot:
The values of the following registry keys are removed:
The following registry key is added:
The following registry key is changed:
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.
– Email addresses found in specific files on the system.
One of the following:
• Re: Your file; Your file!!; Fw: Warning; Fw: Message; Warning; Re:
Warning; Re: Well!; Re: Good!; Thank you!; Thanks!; Document; Message;
Fax Message; Protected message; Notification; Fw: Informartion; Fw:
Document; Re: Text message; Re: Hello; Re: Thanks; Re: Document;
Encrypted document; Re: Hi; My photos; Hi! :-); Price; Hello!; The
Account; Your Account; Well..; Accounts department
The body of the email is one of the lines:
• Here take your credit card information in the attached file.
• Bye :)
• your file!!
• Pay attention at the attach.
• Message is in attach.
• Check attached file.
• Check attached file for details.
• Attached file tells everything.
• Attach tells everything.
• Read the attach.
• Looking forward for a response.
• Your account has been blocked for more information read the
• Everything inside the attach.
The filename of the attachment is constructed out of the following:
– It starts with one of the following strings followed by several empty spaces:
The file extension is one of the following:
Here are a few examples of how the filename of the attachment might look like:
• Details .bat
• Details .cmd
• Info .zip
• Information .cmd
It searches the following files for email addresses:
It does not send emails to addresses containing one of the following strings:
• f-secure; trendmicro; .gov; panda; ntivi; cafee; kasp; symantec;
sopho; @secunia; icrosoft; bugs@; @microsoft; @mm
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It makes use of the following Exploit:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
The host file is modified as explained:
– In this case already existing entries remain unmodified.
– Access to the following domains is effectively blocked:
The following ports are opened:
on TCP port 3351 in order to provide an FTP server.
on TCP port 8190
It creates the following Mutexes:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Alexandru Tudor on Monday, August 1, 2005
Description updated by Oliver Auerbach on Wednesday, August 24, 2005
Get in touch
Questions? We are happy to help you.
1 800 403 7019
Start a chat
Send an email
Find a solution in our Avira Answers community
Send an email
Case Record Type