high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | September 2005 (3.97) |
| Protection available since | 28 July 2005 13:17:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please contact technical support.
More Information
W32/Lebreat-D is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Lebreat-D spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).
W32/Lebreat-D will send itself to email addresses harvested from the infected computer. These emails will have the following properties:
Subject:
Accounts department
Well..
Your Account
The Account
Hi!
Hello!
Hey!
Price
Hi! :-)
Good
My photos
HaHa
Re: Hi
Encrypted document
Re: Document
Re: Thanks
Re: Hello
Re: Text message
Fw: Document
Fw: Informartion
Notification
Protected message
Fax Message
Message
Document
Thanks!
Thank you!
Thx
Re: Good!
Re: Well!
Re: Warning
Warning
Fw: Message
Fw: Warning
Your file!!
Re: Your file
Message text:
Here take your credit card information in the attached file.
Bye :)
Cya
your file!!
Pay attention at the attach.
Message is in attach.
Check attached file.
:)
Check attached file for details.
Attached file tells everything.
Attach tells everything.
Read the attach.
:P
Looking forward for a response.
Your account has been blocked for more information read the attachment file.
Bye
Empty
Everything inside the attach.
Attached filename:
Information <several spaces>
Details <several spaces>
text_document <several spaces>
Updates <several spaces>
Readme <several spaces>
Document <several spaces>
Info <several spaces>
MoreInfo <several spaces>
Message <several spaces>
Attached file extension:
.zip
.bat
.cmd
.pif
.cpl
.scr
.exe
The email will appear to come from a combination of one of these usernames:
fred
brian
support
admin
jack
jim
leo
matt
ray
smith
alex
tom
kevin
paul
james
sam
james
robert
jose
josh
sales
and these domains:
microsoft.com
mcafee.com
yahoo.com
sophos.com
symantec.com
mail.com
kaspersky.com
matrix.com
security.com
paypal.com
visa.com
mastercard.com
securityfocus.com
f-secure.com
msn.com
sarc.com
trendmicro.com
aol.com
ca.com
nai.com
W32/Lebreat-D will avoid sending to email addresses containing the following strings:
@mm
@microsoft
bugs@
icrosoft
@secunia
sopho
symantec
kasp
cafee
ntivi
panda
.gov
trendmicro
f-secure
W32/Lebreat-D runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Lebreat-D copies itself to:
<System>\system23.exe
<System>\xface.tmp
W32/Lebreat-D drops a ZIP component of itself to:
<System>\xzip.tmp - this file is also detected as W32/Lebreat-D
and creates the following files:
<Windows>\xb12.dat - this file may be deleted
<Windows>\xsas.jpg - this file may be deleted
The following registry entry is created to run system23.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\system23.exe
The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
W32/Lebreat-D will also open a backdoor on port 3351 and attempt to perform a Distributed Denial of Service attack on www.symantec.com and www.mcafee.com.
W32/Lebreat-D modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:
127.0.0.1 www.symantec.com
127.0.0.1 www.sarc.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 www.sophos.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.nai.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 f-secure.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
W32/Lebreat-D also attempts to remove registry entries that match the strings 'KasperskyAVEng', 'EasyAV', 'ICQNet' or 'erthgdr' from the following registry locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft provides a patch for the LSASS vulnerability at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
|
