Worm spells double trouble for PCs

Combined mass-mailing worm and network worm attempts to hijack computers and to launch a DOS attack on Symantec's Web site.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A double-edged threat that attempts to hijack PCs has surfaced in at least three variants, security companies warned on Friday.

The new pest, Lebreat, is a combined network worm and mass-mailing worm, F-Secure said. Once run on a PC, it installs a backdoor for hackers, downloads the mass-mailer code and attempts to launch a denial-of-service attack that targets security giant Symantec's Web site, the Finnish antivirus specialist said. The malicious code is also known as Breatle and Reatle at other antivirus companies.

"This virus claims to be 'Breatle AntiVirus v1.0,' and it spreads over both e-mail and network vulnerabilities," F-Secure said.

The network-worm part of Lebreat exploits a known Windows flaw in a component called the Local Security Authority Subsystem Service, the security company said. The LSASS vulnerability was also used by the Sasser worm, F-Secure said in its advisory. Microsoft issued a patch for the LSASS flaw last year.

Lebreat is also a mass-mailer, which means it travels as an attachment in an e-mail message.

Once installed, Lebreat harvests e-mail address from the compromised PC and starts sending itself to those addresses. It also begins scanning the Internet for computers vulnerable to the LSASS flaw. On the PC, it installs the backdoor and attempts to tweak Windows settings to disable security features such as system restore and automatic updates, but fails to do so, F-Secure said.

As is common with e-mail worms, Lebreat uses a number of subject lines, message body texts and names for the attachment, F-Secure said. One example of a body text is: "Your credit card was charged for $500 USD. For additional information see the attachment." The sender address is also faked.

Shortly after the first version of Lebreat appeared, two variants were detected, F-Secure said. The mutations have largely the same payload. F-Secure ranks Lebreat as a "Level 2" threat, which means it is causing large infections, according to a notice on the F-Secure Web site.

MessageLabs had stopped 5,636 copies of e-mail messages containing Lebreat by late morning on Friday, a company representative said. The e-mail security specialist classifies it as a "medium outbreak."

Symantec has also detected the worm, but has not seen it spread widely, said Dave Cole, a director of product management at Symantec Security Response. Cole confirmed that the worm attempts to launch a distributed denial-of-service attack against the Symantec Web site, but the company is not worried about it. "We don't expect this to create problems," he said.

To protect against Lebreat, as with other threats, users should be cautious when opening e-mail attachments, apply security patches and run up-to-date antivirus software, security companies advised.