Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Bizaro
Date discovered:13/12/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:15.261 Bytes
MD5 checksum:2dd448e3be3f95cba78d6dd0b0cdc52f
VDF version:7.11.53.216

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Reatle@mm
   •  Mcafee: W32/Reatle.gen@MM
   •  Kaspersky: Net-Worm.Win32.Lebreat.c
   •  TrendMicro: WORM_REATLE.B
   •  F-Secure: W32/Breatle.A@mm
   •  VirusBuster: I-Worm.Lebreat.A
   •  Bitdefender: Win32.Worm.Bretle.B


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Uses its own Email engine
   • Registry modification

 Files It tries to download a file:

– The location is the following:
   • http://**********.biz/update3.exe
It is saved on the local hard drive under: %SYSDIR%\update3.exe Furthermore this file gets executed after it was fully downloaded. Detected as: Worm/Bizaro.B

 Registry The following registry keys are added in order to run the processes after reboot:



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   • "WIN"="c:\windows\\System32\\windows.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001
   • "WIN"="c:\windows\\System32\\windows.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   • "DisableSR"=dword:00000001

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Message could not be delivered
   • Bug
   • Error
   • Email
   • Mail Delivery System
   • Importnat Information
   • **WARNING** Your Account Currently Disabled.
   • Password
   • info
   • Hello

In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.


Body:
– In some cases it may be empty.
– In some cases it may contain random characters.

 
The body of the email is one of the following:

   • Your password has been updated checkout the document.
     checkout the attachment.

   • Hello,
     I was in a hurry and I forgot to attach an important
     document. Please see attached.

   • Your Account Suspended checkout the document.

   • Important Notification checkout the attachment for more info.

   • Your credit card was charged for $500 USD. For additional information see the attachment.
     Binary message is available.

   • The message contains Unicode characters and has been sent as a binary attachment.
     Here are your banks documents

   • The original message was included as an attachment.

   • We have temporarily suspended your email account checkout the attachment for more info.

   • You have successfully updated the password of your domain account checkout the attachment for more info.


Attachment:
The filename of the attachment is one of the following:
   • payment.doc %empty spaces%.scr; about.doc %empty
      spaces%
.bat; help.doc %empty spaces%.exe;
      account-report.exe; about.cpl; about.scr; admin.bat; archive.cpl;
      archive.exe; box.bat; box.scr; data.bat; data.scr; doc.pif; docs.cpl;
      docs.scr; document.cpl; document.exe; file.cpl; inbox.cpl; inbox.exe;
      order.cpl; order.exe; read.cpl; read.exe; readme.cpl; readme.scr

 Mailing Search addresses:
It searches the following files for email addresses:
   • .asp
   • .txt
   • .adb
   • .tbb
   • .dbx
   • .html
   • .htm
   • .wab


Address generation for FROM field:
To generate addresses it uses the following strings:
   • adam; admin; alerts; alex; bob; brenda; brent; dan; david; fred;
      helen; jack; jane; jerry; joe; john; jon; josh; leo; linda; mary;
      matt; michael; mike; paul; ray; robert; root; sales; steve; support;
      ted; tom

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • icrosof; .gov; panda; f-secur; icrosoft; winrar; winzip; @mcafee;
      @trendmicro; @mm; @noreply; @sopho; @norman; @virusli; @norton;
      @fsecure; @panda; @avp; @microsoft; @symantec

 Network Infection Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

 Backdoor The following ports are opened:

%executed file% on UDP port 1024
%executed file% on TCP port 8885 in order to provide an FTP server.

 DoS Right after it becomes active, it starts a DoS attack against the following destination:
   • www.symantec.com

 Miscellaneous Mutex:
It creates the following Mutex:
   • Breatle AntiVirus v1.0


String:
Furthermore it contains the following strings:
   • Symantec
   • easy to talk but hard to work :)
   • what about working in symantec? :P
   • it is not only a mass mail worm it is also a lsass worm :)

Description inserted by Victor Tone on Thursday, August 4, 2005
Description updated by Oliver Auerbach on Thursday, August 25, 2005

Back . . . .