Virus:Worm/Lebreat.A.1
Date discovered:13/12/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:46.080 Bytes
MD5 checksum:2c2fb119ac5554722db92a0f6cb0a498
VDF version:7.11.53.216

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Reatle.D@mm
   •  Mcafee: W32/Reattle.gen.gen
   •  Kaspersky: Net-Worm.Win32.Lebreat.gen
   •  TrendMicro: WORM_REATLE.D
   •  Sophos: W32/Lebreat-D
   •  Panda: W32/Lebreat.F.worm
   •  VirusBuster: I-Worm.Lebreat.C
   •  Bitdefender: Win32.Worm.Bretle.D


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Drops files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\system23.exe
   • %SYSDIR%\xface.tmp
The archive contains a copy of the malware itself.



The following files are created:

– It creates the following archive containing a copy of the malware:
   • %SYSDIR%\xzip.tmp

– A file that contains collected email addresses:
   • %WINDIR%\xb12.dat

%WINDIR%\xsas.jpg

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "System"="%SYSDIR%\system23.exe"



The values of the following registry keys are removed:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • erthgdr
   • ICQNet
   • EasyAV
   • KasperskyAVEng

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • erthgdr
   • ICQNet
   • EasyAV
   • KasperskyAVEng



The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001



The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
   Old value:
   • "DisableSR"=dword:00000000
   New value:
   • "DisableSR"=dword:00000001

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Re: Your file; Your file!!; Fw: Warning; Fw: Message; Warning; Re:
      Warning; Re: Well!; Re: Good!; Thank you!; Thanks!; Document; Message;
      Fax Message; Protected message; Notification; Fw: Informartion; Fw:
      Document; Re: Text message; Re: Hello; Re: Thanks; Re: Document;
      Encrypted document; Re: Hi; My photos; Hi! :-); Price; Hello!; The
      Account; Your Account; Well..; Accounts department



Body:
The body of the email is one of the lines:
   • Document
   • Readme
   • Updates
   • text_document
   • Details
   • Information
   • Here take your credit card information in the attached file.
   • Bye :)
   • your file!!
   • Pay attention at the attach.
   • Message is in attach.
   • Check attached file.
   • Check attached file for details.
   • Attached file tells everything.
   • Attach tells everything.
   • Read the attach.
   • Looking forward for a response.
   • Your account has been blocked for more information read the
   • Empty
   • Everything inside the attach.


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following strings followed by several empty spaces:
   • Details
   • Document
   • Info
   • Information
   • Message
   • MoreInfo
   • Readme
   • Updates
   • text_document

    The file extension is one of the following:
   • bat
   • cmd
   • cpl
   • exe
   • pif
   • scr
   • zip



Here are a few examples of how the filename of the attachment might look like:
   • Details .bat
   • Details .cmd
   • Info .zip
   • Information .cmd

 Mailing Search addresses:
It searches the following files for email addresses:
   • rb
   • cgi
   • txt
   • adb
   • tbb
   • dbx
   • wab
   • htm
   • html
   • asp


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • f-secure; trendmicro; .gov; panda; ntivi; cafee; kasp; symantec;
      sopho; @secunia; icrosoft; bugs@; @microsoft; @mm

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • www.symantec.com
   • www.sarc.com
   • symantec.com
   • www.mcafee.com
   • sophos.com
   • mcafee.com
   • www.sophos.com
   • www.kaspersky.com
   • www.f-secure.com
   • kaspersky.com
   • www.nai.com
   • pandasoftware.com
   • www.ca.com
   • ca.com
   • www.my-etrust.com
   • download.mcafee.com
   • us.mcafee.com
   • liveupdate.symantec.com
   • f-secure.com
   • trendmicro.com
   • www.trendmicro.com
   • www.pandasoftware.com


 Backdoor The following ports are opened:

%executed file% on TCP port 3351 in order to provide an FTP server.
%executed file% on TCP port 8190

 Miscellaneous Mutex:
It creates the following Mutexes:
   • ____--->>>>U<<<<--____
   • AdmSkynetJklS003
   • SkynetSasserVersionWithPingFast
   • LK[SkyNet.cz]SystemsMutex
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • MI[SkyNet.cz]SystemsMutex
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • BreatleAV_v4.0

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexandru Tudor on Monday, August 1, 2005
Description updated by Oliver Auerbach on Wednesday, August 24, 2005

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.