Lebreat.i is a network worm spreading through a vulnerability in Windows
Plug and Play service (MS05-039).
The worm is a packed PE executable file 14848 bytes long.
Installation to system
When run, the worm copies itself under %SYSTEM% directory using the name 'wuaaclt.exe'
and creates a mutex named:
PNP-_-WORM
to make sure it only runs one copy of the worm at the same time.
Then it adds the following registry entries to ensure that it is started when
a user logs on or the system is restarted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PNP" = "wuaaclt.exe"
Spreading using Plug and Play service vulnerability
The worm scans for systems vulnerable to Microsoft Windows Plug and Play
service (MS05-039) through TCP/445.
It creates several threads that connect to random IP addresses. If the exploit
is successful the worm will spread to those hosts.
Please see the following page for detailed information on the vulnerability:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
[FSAV_Database_Version]
Version=2005-08-25_01
Technical Details:
Jarkko Turkulainen & Ero Carrera; Aug 24th, 2005;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
