Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Lebreat.A

Win32/Lebreat.A is a typical mass-mailing email worm. The size is around 15.000 bytes and the worm is runtime compressed / protected by MEW, a runtime executable packer. The worm has a backdoor component and tries to exploit the network via security vulnerabilities.

This threat affects the following operating systems:

Windows 95, Windows 98, Windows Me,
Windows NT, Windows 2000, Windows Server 2003, Windows XP

Installation and Autostart Techniques

Upon execution the worm copies itself into the %System% folder as "ccapp.exe" and places a file "attach.tmp" in this folder to use for outgoing email-attachments.Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows. The worm adds the following keys to the registry to make sure that it is run every time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Symantec" = "%System%\ccapp.exe"

HKLM\Software\Microsoft\Windows Windows NT\CurrentVersion\Windows
"Symantec" = "%System%\ccapp.exe"

And it might add the following keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WIN" = "%System%\windows.exe"

HKLM\Software\Microsoft\Windows Windows NT\CurrentVersion\Windows
"WIN" = "%System%\windows.exe"

 It also alters the "EnableFirewall" values at the following registry keys:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\

HKCU \Software\Policies\Microsoft\WindowsFirewall\

Win32/Lebreat.A also tries to disable windows auto updating function by altering

 HKLM\SOFTWARE\Policies\Microsoft\WindowsWindowsUpdate\AU

"NoAutoUpdate" = "1"
"AUOptions" = "1"

and

HKCU\Software\Policies\Microsoft\WindowsWindowsUpdate\AU
"NoAutoUpdate" = "1"
"AUOptions" = "1"

The Windows Security Center Warnings are disabled by altering the following keys:

HKLM\SOFTWARE\Microsoft\Security Center

"AntiVirusDisableNotify" = "0"

"UpdatesDisableNotify" = "0"

"FirewallDisableNotify" = "0"

 

HKCU\Software\Microsoft\Security Center

"AntiVirusDisableNotify" = "0"

"UpdatesDisableNotify" = "0"

"FirewallDisableNotify" = "0"

 

The worm also tries to disable the system restore function by altering the following keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
"DisableSR" = "1"

 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
"DisableSR" = "1"

It disables the Windows Task-Manager and Registry-Tools via:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

"DisableTaskMgr" = "1"
"DisableRegistryTools" = "1"

 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

"DisableTaskMgr" = "1"
"DisableRegistryTools" = "1"

E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

adam admin alerts alex bob brenda brent dan david fred helen

jack jane jerry joe john jon josh leo linda mary matt michael

mike paul ray robert root sales steve support ted tom

The worm might also use a spoofed email address collected during E-mail harvesting.

Win32/Lebreat.A uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

 E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses from files ending with one of the following extensions:

*.asp, *.txt, *.adb, *.tbb, *.dbx, *.html, *.htm, *.wab

and stores it in %Windir%\xzy6.tmp.

The worm avoids e-mail addresses which contain any part of the following list:

icrosof, .gov, panda, f-secur, icrosoft, winrar, winzip, @mcafee,

@trendmicro, @mm, @noreply, @sopho, @norman, @virusli, @norton,

@fsecure, @panda, @avp, @microsoft, @symantec

For example, "Microsoft" and "microsoft" will both be avoided as they both contain "icrosof", which the worm avoids.

E-mail subjects

Subject lines are randomly selected from the following list:

  • Bug
  • Error
  • Email
  • info
  • Hello
  • Message could not be delivered
  • Mail Delivery System
  • Importnat Information

**WARNING** Your Account Currently Disabled.

Password

Message Body

The e-mail contains one of the following message texts:

  • Hello, I was in a hurry and I forgot to attach an important document. Please see attached.
  • Binary message is available.
  • Here are your banks documents
  • Your credit card was charged for $500 USD. For additional information see the attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • We have temporarily suspended your email account checkout the attachment for more info.
  • You have successfully updated the password of your domain account checkout the attachment for more info.
  • Important Notification checkout the attachment for more info.
  • Your Account Suspended checkout the document.
  • Your password has been updated checkout the document.
  • checkout the attachment.

E-mail Attachments

The worm attaches a copy of itself to the email using one of the following file names:

payment.doc { spaces } .scr

about.doc { spaces } .bat

help.doc {spaces } .exe

account-report.exe

about.cpl

about.scr

admin.bat

archive.cpl

archive.exe

box.bat

box.scr

data.bat

data.scr

doc.pif

docs.cpl

docs.scr

document.cpl

document.exe

file.cpl

inbox.cpl

inbox.exe

order.cpl

order.exe

read.cpl

read.exe

readme.cpl

readme.scr

Exploiting technologies

 The worm generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using FTP-Commands file)

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm from the connecting system, and starts this file after downloading.

References:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Other Details:

The worm also provides FTP-Server-Backdoor functionality over TCP/IP Port 8885 and tries to perform a denial of service attack against www.symantec.com with randomly generated packets.

The Win32/Lebreat.A worm tries to download and to install another worm, which is detected by NOD32 as "Win32/VB.NBY worm".

 

©1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission