W32/Lebreat-A

Please follow the instructions for removing worms.

Please contact technical support.

W32/Lebreat-A is a worm with a backdoor component for the Windows platform.

W32/Lebreat-A spreads by exploiting the LSASS vulnerablity.

W32/Lebreat-A will send itself to email addresses harvested from the infected computer. These emails will have the following properties:

Subject:

**WARNING** Your Account Currently Disabled.
Email
Error
Hello
Importnat Information
info
Mail Delivery System
Message could not be delivered
Password

Message text:

Your credit card was charged for $500 USD. For additional information see the attachment.

Binary message is available.

The message contains Unicode characters and has been sent as a binary attachment.

Here are your banks documents

The original message was included as an attachment.

We have temporarily suspended your email account checkout the attachment for more info.

You have successfully updated the password of your domain account checkout the attachment for more info.

Important Notification checkout the attachment for more info.

Your Account Suspended checkout the document.

Your password has been updated checkout the document.

checkout the attachment.

Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached. W32/Lebreat-A is a worm with a backdoor component for the Windows platform.

W32/Lebreat-A spreads by exploiting the LSASS vulnerablity.

W32/Lebreat-A will send itself to email addresses harvested from the infected computer. These emails will have the following properties:

Subject:

**WARNING** Your Account Currently Disabled.
Email
Error
Hello
Importnat Information
info
Mail Delivery System
Message could not be delivered
Password

Message text:

Your credit card was charged for $500 USD. For additional information see the attachment.

Binary message is available.

The message contains Unicode characters and has been sent as a binary attachment.

Here are your banks documents

The original message was included as an attachment.

We have temporarily suspended your email account checkout the attachment for more info.

You have successfully updated the password of your domain account checkout the attachment for more info.

Important Notification checkout the attachment for more info.

Your Account Suspended checkout the document.

Your password has been updated checkout the document.

checkout the attachment.

Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.

The attachment will have one of the following names:

about.cpl
about.doc<several spaces>.bat
about.scr
account-report.exe
admin.bat
archive.cpl
archive.exe
box.bat
box.scr
data.bat
data.scr
doc.pif
docs.cpl
docs.scr
document.cpl
document.exe
file.cpl
help.doc<several spaces>.exe
inbox.cpl
inbox.exe
order.cpl
order.exe
payment.doc<several spaces>.scr
read.cpl
read.exe
readme.cpl
readme.scr

The email will appear to come from a combination of one of these usernames:

adam
admin
alerts
alex
brenda
brent
david
fred
helen
jack
jane
jerry
john
josh
linda
mary
matt
michael
mike
paul
robert
root
sales
steve
support

and these domains:

antivirus.com
aol.com
arcor.com
ca.com
gmail.com
google.com
hotmail.com
matrix.com
mcafee.com
microsoft.com
msn.com
nai.com
support.com
symantec.com
trendmicro.com
yahoo.com

W32/Lebreat-A will avoid sending to email addresses containing the following strings:

icrosof
.gov
panda
f-secur
icrosoft
winrar
winzip
@mcafee
@trendmicro
@noreply
@sopho
@norman
@virusli
@norton
@fsecure
@panda
@avp
@microsoft
@symantec

W32/Lebreat-A will also open a ftp backdoor on port 8885 and attempt to perform a Distributed Denial of Service attack on www.symantec.com.

W32/Lebreat-A will copy itself to the Windows system folder as ccapp.exe and attach.tmp and create the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec
<Windows system folder>\ccapp.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Symantec
<Windows system folder>\ccapp.exe

W32/Lebreat-A will also create or modify the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKCU\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKCU\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Lebreat-A may create a file named xzy6.tmp in the Windows folder which is a list of the collected email addresses. This file can be safely removed and is harmless.

W32/Lebreat-A will attempt to download and execute the file update3.exe from a predefined URL.

Microsoft provides a patch for the LSASS vulnerablity at the following URL:

MS04-011