F-Secure Virus Descriptions : Lebreat
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Lebreat |
| ALIAS: | Breatle, W32/Lebreat@mm, W32/Reatle@MM |
W32/Lebreat.A@mm is a mass-mailer and a network worm. It was
found on July 15th, 2005. Shortly after the initial version,
there appeared 2 more variants. The worm also has a backdoor, a
trojan downloader and DoS (Denial of Service) attack
capabilities.
The worm is a PE executable file about 15 kilobytes long, packed
with MEW file compressor and patched with PE_Patch.
Installation to System
When the worm is run, it created a mutex named 'Breatle AntiVirus
v1.0'. Then it copies itself to Windows System directory as
CCAPP.EXE file and creates startup key values for that file in
the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec" = "%WinSysDir%\ccapp.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Symantec" = "%WinSysDir%\ccapp.exe"
where %WinSysDir% represents Windows System folder. However the
second startup key value should be different to start a file, so
it won't work.
Also the worm makes a copy of itself in that folder with
ATTACH.TMP name. Both copied files have hidden attributes.
Spreading in E-mails
Before spreading in e-mails the worm looks for e-mail addresses
on all hard disks and RAM drives. Files with the following
extensions are searched for e-mail addresses:
asp
txt
adb
tbb
dbx
html
wab
htm
The worm avoids sending messages to e-mail addresses that contain
any of the following strings:
@symantec
@microsoft
@avp
@panda
@fsecure
@norton
@virusli
@norman
@sopho
@noreply
@mm
@trendmicro
@mcafee
winzip
winrar
icrosoft
f-secur
panda
.gov
icrosof
The worm uses the following subject texts in infected messages
that it sends out:
Hi
Hello
info
Password
**WARNING** Your Account Currently Disabled
Importnat Information
Mail Delivery System
Email
Error
Bug
Message could not be delivered
The worm uses the following message body texts in infected
messages that it sends out:
Your credit card was charged for $500 USD. For additional
information see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a
binary attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the
attachment for more info.
You have successfully updated the password of your domain
account checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
The worm uses the following attachment names in infected messages
that it sends out:
account-report.exe
payment.doc <a lot of spaces> .scr
about.doc <a lot of spaces> .bat
help.doc <a lot of spaces> .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe
The worm fakes the sender's e-mail address. The sender's name for
fake e-mail addresses is selected from the following variants:
support
admin
alex
david
bob
dan
brent
brenda
fred
ted
tom
leo
linda
paul
ray
mike
mary
john
jon
joe
josh
jerry
jack
jane
matt
robert
helen
michael
root
steve
sales
alerts
adam
The domain name for fake e-mail addresses is selected from the
following variants:
@symantec.com
@msn.com
@microsoft.com
@yahoo.com
@hotmail.com
@google.com
@antivirus.com
@arcor.com
@mcafee.com
@ca.com
@aol.com
@matrix.com
@support.com
@trendmicro.com
@gmail.com
@google.com
@nai.com
The worm also spreads using the LSASS exploit (MS04-011). See the
Microsoft Bulletin for more info on the vulnerability, and run
Windows Update to patch your systems now.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Payload
Lebreat worm tries to tweak security settings of Microsoft
Windows by modifying or creating specific Registry key values.
The worm tries to disable System Restore, Registry tools,
autoupdate, Security Center notifications and Task Manager.
However these actions are unsuccessful (at least on our test
systems).
The worm opens a backdoor on TCP port 8885. This backdoor is an
ftp server that allows to manupulate user's files.
The worm has trojan downloader capabilities. It downloads and
runs a file called UPDATE3.EXE from the 'j0r.biz' website. That
file is a mass-mailer written in Visual Basic. It is detected
generically as 'Email-Worm.Win32.generic'.
Also worm tries to perform a DoS (Denial of Service) attack the
Symantec's website.
These are minor variants of W32/Lebreat.A@mm worm. Most of
functionality of these variants are identical. The differences
are:
The .B variant of the worm installs itself as WINDOWS.EXE file.
It also downloads a file named PROTO.COM from the 'j0r.biz'
website. The downloaded file is a variant of Wootbot backdoor and
it is detected as 'Backdoor.Win32.Wootbot.gen'.
The .C variant of the worm also installs itself as WINDOWS.EXE
file.
F-Secure Anti-Virus detects Lebreat.A worm with the following
updates:
[FSAV_Database_Version]
Version=2005-07-15_03
F-Secure Anti-Virus detects Lebreat.B and .C worms with the
following updates:
[FSAV_Database_Version]
Version=2005-07-15_04
Writeup:
Mikko Hypponen; July 15th, 2005;
Technical Details:
Alexey Podrezov; July 15th, 2005;
F-Secure Corporation
|
