high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 24 August 2005 22:49:37 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Lebreat-F.
More Information
W32/Lebreat-F is a mass-mailing worm and backdoor for the Windows platform.
W32/Lebreat-F spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
W32/Lebreat-F also contains the functionality to act as an ftp server allowing access to remote users.
W32/Lebreat-F will also attempt to download and execute a file from a predefined URL. This file was not available at the time of analysis.
W32/Lebreat-F will also send itself to email addressed harvested from the infected computer with the following attributes:
Subject line:
Changes..
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
Re: Incoming Msg
Re: Message Notify
Re: Msg reply
Re: Protected message
Re: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
Message text:
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Encrypted document
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Try this.
webmaster
Your document is attached.
Your file is attached.
The following patches for the operating system vulnerabilities exploited by W32/Lebreat-F can be obtained from the Microsoft website:
MS04-011
MS05-039
W32/Lebreat-F is a mass-mailing worm and backdoor for the Windows platform.
W32/Lebreat-F spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
W32/Lebreat-F also contains the functionality to act as an ftp server allowing access to remote users.
W32/Lebreat-F will also attempt to download and execute a file from a predefined URL. This file was not available at the time of analysis.
W32/Lebreat-F will also send itself to email addressed harvested from the infected computer with the following attributes:
Subject line:
Changes..
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
Re: Incoming Msg
Re: Message Notify
Re: Msg reply
Re: Protected message
Re: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
Message text:
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Encrypted document
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Try this.
webmaster
Your document is attached.
Your file is attached.
Emails will appear to come from the following domains:
aol.com
ca.com
f-secure.com
kaspersky.com
mcafee.com
microsoft.com
msn.com
sarc.com
security.com
securityfocus.com
sophos.com
symantec.com
trendmicro.com
yahoo.com
W32/Lebreat-F avoids sending to addresses containing the following text:
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
norton
postmaster@
rating@
samples
support
update
winrar
winzip
W32/Lebreat-F will move itself to the Windows system folder and create the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winhost
<Windows system folder>\winhost.exe
W32/Lebreat-F will also copy itself to the following files located in the Windows system folder:
<several spaces>.exe
e images.exe
e.doc<several spaces>.exe
Windows Sourcecode update.doc<several spaces>.exe
winhost.tmp
W32/Lebreat-F removes a large number of registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Lebreat-F copies itself to any folders with names containing 'shar' with the following filenames:
XXX hardcore images.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
W32/Lebreat-F will drop files to the following locations:
<Windows folder>\beagle.exe (detected as W32/Bagle-BW)
<Windows system folder>\beagle.exe (detected as W32/Bagle-BW)
<Windows folder>scan.exe (detected as W32/Lilbre-A)
<Windows folder>\sgm32.dll (harmless can safely be removed)
<Windows system folder>\mcafee.exe (detected as W32/Lilbre-A)
W32/Lebreat-F will append the following to the HOSTS file in order to block access to security related URLs:
127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
The following patches for the operating system vulnerabilities exploited by W32/Lebreat-F can be obtained from the Microsoft website:
MS04-011
MS05-039
|
