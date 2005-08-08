Aliases

W32/Reatle.gen

Worm.Mytob.GH



Type Worm



W32/Lebreat-E is a worm and backdoor Trojan for the Windows platform.

W32/Lebreat-E spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).

W32/Lebreat-E attempts a denial-of-service attack on the sites www.sophos.com and www.kaspersky.com.

W32/Lebreat-E will send itself to email addresses harvested from the infected computer. These emails have subject line "Re_" and message text chosen from the following:

Animals

foto3 and MP3

fotogalary and Music

fotoinfo

Lovely animals

Predators

Screen and Music

The snake

The worm is included as an attachment as either a ZIP file or an executable file with one of the following extensions:

BAT

CMD

COM

CPL

EXE

PIF

SCR

The attachment name is chosen from the following:

Cat

Cool_MP3

Dof

Fish

Garry

MP3

Music_MP3

New_MP3_Player

The attachment filename includes a large number of spaces between the base name and the file extension.

The email From address is spoofed and will appear to come from one of these usernames:

admin

support

The email will appear to come from one of these domains:

aol.com

ca.com

f-secure.com

kaspersky.com

mastercard.com

mcafee.com

msn.com

paypal.com

sarc.com

security.com

securityfocus.com

sophos.com

symantec.com

trendmicro.com

visa.com

yahoo.com

W32/Lebreat-E will avoid sending to email addresses containing the following strings:

@microsoft.com

@mm

bugs@

cafee

f-secure

kasp

ntivi

panda

sopho

symantec

trendmicro

W32/Lebreat-E runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

The system HOSTS file is modified, preventing access to the following web addresses:

127.0.0.1 ca.com

127.0.0.1 download.mcafee.com

127.0.0.1 f-secure.com

127.0.0.1 kaspersky.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 mcafee.com

127.0.0.1 pandasoftware.com

127.0.0.1 sophos.com

127.0.0.1 symantec.com

127.0.0.1 trendmicro.com

127.0.0.1 us.mcafee.com

127.0.0.1 www.ca.com

127.0.0.1 www.f-secure.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 www.nai.com

127.0.0.1 www.pandasoftware.com

127.0.0.1 www.sarc.com

127.0.0.1 www.sophos.com

127.0.0.1 www.symantec.com

127.0.0.1 www.trendmicro.com

Microsoft provides a patch for the LSASS vulnerability at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx



http://www.sophos.com/virusinfo/analyses/w32lebreate.html