W32/Lebreat-E

Please follow the instructions for removing worms.

Please contact technical support.

W32/Lebreat-E is a worm and backdoor Trojan for the Windows platform.

W32/Lebreat-E spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).

W32/Lebreat-E attempts a denial-of-service attack on the sites www.sophos.com and www.kaspersky.com.

W32/Lebreat-E will send itself to email addresses harvested from the infected computer. These emails have subject line "Re_" and message text chosen from the following:

Animals
foto3 and MP3
fotogalary and Music
fotoinfo
Lovely animals
Predators
Screen and Music
The snake

The worm is included as an attachment as either a ZIP file or an executable file with one of the following extensions:

BAT
CMD
COM
CPL
EXE
PIF
SCR

The attachment name is chosen from the following:

Cat
Cool_MP3
Dof
Fish
Garry
MP3
Music_MP3
New_MP3_Player

The attachment filename includes a large number of spaces between the base name and the file extension.

The email From address is spoofed and will appear to come from one of these usernames:

admin
support

The email will appear to come from one of these domains:

aol.com
ca.com
f-secure.com
kaspersky.com
mastercard.com
mcafee.com
msn.com
paypal.com
sarc.com
security.com
securityfocus.com
sophos.com
symantec.com
trendmicro.com
visa.com
yahoo.com

W32/Lebreat-E will avoid sending to email addresses containing the following strings:

@microsoft.com
@mm
bugs@
cafee
f-secure
kasp
ntivi
panda
sopho
symantec
trendmicro

W32/Lebreat-E runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

The system HOSTS file is modified, preventing access to the following web addresses:

127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com

Microsoft provides a patch for the LSASS vulnerability at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx W32/Lebreat-E is a worm and backdoor Trojan for the Windows platform.

W32/Lebreat-E spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).

W32/Lebreat-E attempts a denial-of-service attack on the sites www.sophos.com and www.kaspersky.com.

W32/Lebreat-E will send itself to email addresses harvested from the infected computer. These emails have subject line "Re_" and message text chosen from the following:

Animals
foto3 and MP3
fotogalary and Music
fotoinfo
Lovely animals
Predators
Screen and Music
The snake

The worm is included as an attachment as either a ZIP file or an executable file with one of the following extensions:

BAT
CMD
COM
CPL
EXE
PIF
SCR

The attachment name is chosen from the following:

Cat
Cool_MP3
Dof
Fish
Garry
MP3
Music_MP3
New_MP3_Player

The attachment filename includes a large number of spaces between the base name and the file extension.

The email From address is spoofed and will appear to come from one of these usernames:

admin
support

The email will appear to come from one of these domains:

aol.com
ca.com
f-secure.com
kaspersky.com
mastercard.com
mcafee.com
msn.com
paypal.com
sarc.com
security.com
securityfocus.com
sophos.com
symantec.com
trendmicro.com
visa.com
yahoo.com

W32/Lebreat-E will avoid sending to email addresses containing the following strings:

@microsoft.com
@mm
bugs@
cafee
f-secure
kasp
ntivi
panda
sopho
symantec
trendmicro

W32/Lebreat-E runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

When first run W32/Lebreat-E copies itself to:

<System>\beagle.exe
<System>\xbeagle.tmp

and creates the following files:

<Windows>\sigma.dat
<System>\zipx.dat
<Windows>\xsas.jpg

The file sigma.dat contains email addresses generated by the worm. The file zipx.dat contains a copy of the worm stored as a ZIP file, and is also detected as W32/Lebreat-E. The file xsas.jpg is a harmless image file.

The following registry entry is created to run beagle.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bunx
<System>\beagle.exe

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1

The system HOSTS file is modified, preventing access to the following web addresses:

127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com

Microsoft provides a patch for the LSASS vulnerability at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx