- Liittynyt
- 28.7.2003
- Viestejä
- 487
Perjantaina näköjään löydetty uusi mato, joten pitäkää varanne.
No alarm, folks - I am forwarding this message as a precaution, as a preventive measure. Keep your firewalls up and your anti-virus active, and give your undivided attention to the following: This nasty worm was discovered on Friday July 15th!
Faithfully,
Sophia (moderator)
http://www.geocities.com/anarchosophia/
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
http://www.europe.f-secure.com/v-descs/lebreat.shtml
F-Secure Virus Descriptions : Lebreat
[]
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDERF-SECURE RADAR.
Radar Alert LEVEL 2
NAME: Lebreat
ALIAS: Breatle, W32/Lebreat@mm, W32/Reatle@MM
W32/Lebreat.A@mm is a mass-mailer and a network worm. It was found on July 15th, 2005. Shortly after the initial version, there appeared 2 more variants. The worm also has a backdoor, a trojan downloader and DoS (Denial of Service) attack capabilities.
VARIANT: W32/Lebreat.A@mm
Detailed Descriptio
The worm is a PE executable file about 15 kilobytes long, packed with MEW file compressor and patched with PE_Patch.
Installation to System
When the worm is run, it created a mutex named 'Breatle AntiVirus v1.0'. Then it copies itself to Windows System directory as CCAPP.EXE file and creates startup key values for that file in the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec" = "%WinSysDir%\ccapp.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Symantec" = "%WinSysDir%\ccapp.exe"
where %WinSysDir% represents Windows System folder. However the second startup key value should be different to start a file, so it won't work.
Also the worm makes a copy of itself in that folder with ATTACH.TMP name. Both copied files have hidden attributes.
Spreading in E-mails
Before spreading in e-mails the worm looks for e-mail addresses on all hard disks and RAM drives. Files with the following extensions are searched for e-mail addresses:
asp
txt
adb
tbb
dbx
html
wab
htm
The worm avoids sending messages to e-mail addresses that contain any of the following strings:
@symantec
@microsoft
@avp
@panda
@fsecure
@norton
@virusli
@norman
@sopho
@noreply
@mm
@trendmicro
@mcafee
winzip
winrar
icrosoft
f-secur
panda
.gov
icrosof
The worm uses the following subject texts in infected messages that it sends out:
Hi
Hello
info
Password
**WARNING** Your Account Currently Disabled
Importnat Information
Mail Delivery System
Email
Error
Bug
Message could not be delivered
The worm uses the following message body texts in infected messages that it sends out:
Your credit card was charged for $500 USD. For
additional
information see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a
binary attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the
attachment for more info.
You have successfully updated the password of your domain
account checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
The worm uses the following attachment names in infected messages that it sends out:
account-report.exe
payment.doc <a lot of
spaces> .scr
about.doc <a lot of
spaces> .bat
help.doc <a lot of
spaces> .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe
The worm fakes the sender's e-mail address. The sender's name for fake e-mail addresses is selected from the following variants:
support
admin
alex
david
bob
dan
brent
brenda
fred
ted
tom
leo
linda
paul
ray
mike
mary
john
jon
joe
josh
jerry
jack
jane
matt
robert
helen
michael
root
steve
sales
alerts
adam
The domain name for fake e-mail addresses is selected from the following variants:
@symantec.com
@msn.com
@microsoft.com
@yahoo.com
@hotmail.com
@google.com
@antivirus.com
@arcor.com
@mcafee.com
@ca.com
@aol.com
@matrix.com
@support.com
@trendmicro.com
@gmail.com
@google.com
@nai.com
The worm also spreads using the LSASS exploit (MS04-011). See the Microsoft Bulletin for more info on the vulnerability, and run Windows Update to patch your systems now.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Payload
Lebreat worm tries to tweak security settings of Microsoft Windows by modifying or creating specific Registry key values. The worm tries to disable System Restore, Registry tools, autoupdate, Security Center notifications and Task Manager. However these actions are unsuccessful (at least on our test systems).
The worm opens a backdoor on TCP port 8885. This backdoor is an ftp server that allows to manupulate user's files.
The worm has trojan downloader capabilities. It downloads and runs a file called UPDATE3.EXE from the 'j0r.biz' website. That file is a mass-mailer written in Visual Basic. It is detected generically as 'Email-Worm.Win32.generic'.
Also worm tries to perform a DoS (Denial of Service) attack the Symantec's website.
VARIANT: W32/Lebreat.B@mm
VARIANT: W32/Lebreat.C@mm
These are minor variants of W32/Lebreat.A@mm worm. Most of functionality of these variants are identical. The differences are:
The .B variant of the worm installs itself as WINDOWS.EXE file. It also downloads a file named PROTO.COM from the 'j0r.biz' website. The downloaded file is a variant of Wootbot backdoor and it is detected as 'Backdoor.Win32.Wootbot.gen'.
The .C variant of the worm also installs itself as WINDOWS.EXE file.
F-Secure Anti-Virus detects Lebreat.A worm with the following updates:
[FSAV_Database_Version]
Version=2005-07-15_03
F-Secure Anti-Virus detects Lebreat.B and .C worms with the following updates:
[FSAV_Database_Version]
Version=2005-07-15_04
Writeup: Mikko Hypponen; July 15th, 2005;
Technical Details: Alexey Podrezov; July 15th, 2005;
F-Secure Corporation
No alarm, folks - I am forwarding this message as a precaution, as a preventive measure. Keep your firewalls up and your anti-virus active, and give your undivided attention to the following: This nasty worm was discovered on Friday July 15th!
Faithfully,
Sophia (moderator)
http://www.geocities.com/anarchosophia/
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
http://www.europe.f-secure.com/v-descs/lebreat.shtml
F-Secure Virus Descriptions : Lebreat
[]
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDERF-SECURE RADAR.
Radar Alert LEVEL 2
NAME: Lebreat
ALIAS: Breatle, W32/Lebreat@mm, W32/Reatle@MM
W32/Lebreat.A@mm is a mass-mailer and a network worm. It was found on July 15th, 2005. Shortly after the initial version, there appeared 2 more variants. The worm also has a backdoor, a trojan downloader and DoS (Denial of Service) attack capabilities.
VARIANT: W32/Lebreat.A@mm
Detailed Descriptio
The worm is a PE executable file about 15 kilobytes long, packed with MEW file compressor and patched with PE_Patch.
Installation to System
When the worm is run, it created a mutex named 'Breatle AntiVirus v1.0'. Then it copies itself to Windows System directory as CCAPP.EXE file and creates startup key values for that file in the Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec" = "%WinSysDir%\ccapp.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Symantec" = "%WinSysDir%\ccapp.exe"
where %WinSysDir% represents Windows System folder. However the second startup key value should be different to start a file, so it won't work.
Also the worm makes a copy of itself in that folder with ATTACH.TMP name. Both copied files have hidden attributes.
Spreading in E-mails
Before spreading in e-mails the worm looks for e-mail addresses on all hard disks and RAM drives. Files with the following extensions are searched for e-mail addresses:
asp
txt
adb
tbb
dbx
html
wab
htm
The worm avoids sending messages to e-mail addresses that contain any of the following strings:
@symantec
@microsoft
@avp
@panda
@fsecure
@norton
@virusli
@norman
@sopho
@noreply
@mm
@trendmicro
@mcafee
winzip
winrar
icrosoft
f-secur
panda
.gov
icrosof
The worm uses the following subject texts in infected messages that it sends out:
Hi
Hello
info
Password
**WARNING** Your Account Currently Disabled
Importnat Information
Mail Delivery System
Error
Bug
Message could not be delivered
The worm uses the following message body texts in infected messages that it sends out:
Your credit card was charged for $500 USD. For
additional
information see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a
binary attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the
attachment for more info.
You have successfully updated the password of your domain
account checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
The worm uses the following attachment names in infected messages that it sends out:
account-report.exe
payment.doc <a lot of
spaces> .scr
about.doc <a lot of
spaces> .bat
help.doc <a lot of
spaces> .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe
The worm fakes the sender's e-mail address. The sender's name for fake e-mail addresses is selected from the following variants:
support
admin
alex
david
bob
dan
brent
brenda
fred
ted
tom
leo
linda
paul
ray
mike
mary
john
jon
joe
josh
jerry
jack
jane
matt
robert
helen
michael
root
steve
sales
alerts
adam
The domain name for fake e-mail addresses is selected from the following variants:
@symantec.com
@msn.com
@microsoft.com
@yahoo.com
@hotmail.com
@google.com
@antivirus.com
@arcor.com
@mcafee.com
@ca.com
@aol.com
@matrix.com
@support.com
@trendmicro.com
@gmail.com
@google.com
@nai.com
The worm also spreads using the LSASS exploit (MS04-011). See the Microsoft Bulletin for more info on the vulnerability, and run Windows Update to patch your systems now.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Payload
Lebreat worm tries to tweak security settings of Microsoft Windows by modifying or creating specific Registry key values. The worm tries to disable System Restore, Registry tools, autoupdate, Security Center notifications and Task Manager. However these actions are unsuccessful (at least on our test systems).
The worm opens a backdoor on TCP port 8885. This backdoor is an ftp server that allows to manupulate user's files.
The worm has trojan downloader capabilities. It downloads and runs a file called UPDATE3.EXE from the 'j0r.biz' website. That file is a mass-mailer written in Visual Basic. It is detected generically as 'Email-Worm.Win32.generic'.
Also worm tries to perform a DoS (Denial of Service) attack the Symantec's website.
VARIANT: W32/Lebreat.B@mm
VARIANT: W32/Lebreat.C@mm
These are minor variants of W32/Lebreat.A@mm worm. Most of functionality of these variants are identical. The differences are:
The .B variant of the worm installs itself as WINDOWS.EXE file. It also downloads a file named PROTO.COM from the 'j0r.biz' website. The downloaded file is a variant of Wootbot backdoor and it is detected as 'Backdoor.Win32.Wootbot.gen'.
The .C variant of the worm also installs itself as WINDOWS.EXE file.
F-Secure Anti-Virus detects Lebreat.A worm with the following updates:
[FSAV_Database_Version]
Version=2005-07-15_03
F-Secure Anti-Virus detects Lebreat.B and .C worms with the following updates:
[FSAV_Database_Version]
Version=2005-07-15_04
Writeup: Mikko Hypponen; July 15th, 2005;
Technical Details: Alexey Podrezov; July 15th, 2005;
F-Secure Corporation
