Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Methods of propagation:
• Local network
• Symantec: W32.Reatle@mm
• Mcafee: W32/Reatle.gen@MM
• Kaspersky: Net-Worm.Win32.Lebreat.c
• TrendMicro: WORM_REATLE.B
• F-Secure: W32/Breatle.A@mm
• VirusBuster: I-Worm.Lebreat.A
• Bitdefender: Win32.Worm.Bretle.B
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a malicious file
• Uses its own Email engine
• Registry modification
It tries to download a file:
– The location is the following:
It is saved on the local hard drive under:
\update3.exe Furthermore this file gets executed after it was fully downloaded. Detected as:
The following registry keys are added in order to run the processes after reboot:
The following registry keys are added:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.
– Email addresses found in specific files on the system.
One of the following:
• Message could not be delivered
• Mail Delivery System
• Importnat Information
• **WARNING** Your Account Currently Disabled.
In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.
– In some cases it may be empty.
– In some cases it may contain random characters.
The body of the email is one of the following:
• Your password has been updated checkout the document.
checkout the attachment.
I was in a hurry and I forgot to attach an important
document. Please see attached.
• Your Account Suspended checkout the document.
• Important Notification checkout the attachment for more info.
• Your credit card was charged for $500 USD. For additional information see the attachment.
Binary message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
Here are your banks documents
• The original message was included as an attachment.
• We have temporarily suspended your email account checkout the attachment for more info.
• You have successfully updated the password of your domain account checkout the attachment for more info.
The filename of the attachment is one of the following:
account-report.exe; about.cpl; about.scr; admin.bat; archive.cpl;
archive.exe; box.bat; box.scr; data.bat; data.scr; doc.pif; docs.cpl;
docs.scr; document.cpl; document.exe; file.cpl; inbox.cpl; inbox.exe;
order.cpl; order.exe; read.cpl; read.exe; readme.cpl; readme.scr
It searches the following files for email addresses:
Address generation for FROM field:
To generate addresses it uses the following strings:
• adam; admin; alerts; alex; bob; brenda; brent; dan; david; fred;
helen; jack; jane; jerry; joe; john; jon; josh; leo; linda; mary;
matt; michael; mike; paul; ray; robert; root; sales; steve; support;
It combines the result with domains that were found in files, which were previously searched for addresses.
It does not send emails to addresses containing one of the following strings:
• icrosof; .gov; panda; f-secur; icrosoft; winrar; winzip; @mcafee;
@trendmicro; @mm; @noreply; @sopho; @norman; @virusli; @norton;
@fsecure; @panda; @avp; @microsoft; @symantec
It makes use of the following Exploit:
IP address generation:
It creates random IP addresses and tries to establish a connection with them.
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
The following ports are opened:
on UDP port 1024
on TCP port 8885 in order to provide an FTP server.
Right after it becomes active, it starts a DoS attack against the following destination:
It creates the following Mutex:
• Breatle AntiVirus v1.0
Furthermore it contains the following strings:
• easy to talk but hard to work :)
• what about working in symantec? :P
• it is not only a mass mail worm it is also a lsass worm :)
Description inserted by Victor Tone on Thursday, August 4, 2005
Description updated by Oliver Auerbach on Thursday, August 25, 2005