Threat Description

Lebreat.m

Details

Aliases:Lebreat.m, Net-Worm.Win32.Lebreat.m
Category:Malware
Type:Worm
Platform:W32

Summary



Lebreat.m is a mass mailer and network worm spreading through a vulnerability in Windows Plug and Play service (MS05-039).



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is a packed PE executable file 61291 bytes long.

Installation to system

When run, the worm copies itself under %SYSTEM% directory using the name 'winhost.exe' and creates mutexes named:

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo- MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

to make sure it only runs one copy of the worm at the same time.

Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winhost" = "winhost.exe"

The worm will modify the hosts file in order to prevent the local users from accessing antivirus vendors' websites.

Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates several threads that connect to random IP addresses. If the exploit is successful the worm will spread to those hosts.

Please see the following page for detailed information on the vulnerability:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Email Spreading

The worm will also spread by email. The messages will be composed from different string within the worm's body. Subjets will be chosen from:

"Re: Msg reply"
 "Re: Hello"
 "Re:"
 "Re: Yahoo!"
 "Re: Thank you!"
 "Re: Thanks :)"
 "Re: Text message"
 "Re: Document"
 "Incoming message"
 "Re: Incoming Message"
 "Re: Incoming Msg"
 "Re: Message Notify"
 "Notification"
 "Changes.."
 "Update"
 "Fax Message"
 "Protected message"
 "Re: Protected message"
 "Forum notify"
 "Site changes"
 "Re: Hi"
 "Encrypted document"

The bodies for the messages will be selected among the following possibilities:

"Read the attach."
 "Your file is attached."
 "Try this."
 "More info is in attach"
 "See attach."
 "Please, have a look at the attached fil"...
 "Your document is attached."
 "Please, read the document."
 "Attach tells everything."
 "Attached file tells everything."
 "Check attached file for details."
 "Check attached file."
 "Pay attention at the attach."
 "See the attached file for details."
 "Message is in attach"
 "Here is the file."

The attachment names will be composed with any of:

"Details.doc"
 "doc"
 "Info.doc"
 "Information.doc"
 "Message.doc"
 "MoreInfo.doc"
 "Readme.doc"
 "Updates.doc"
 "text_doc"

Followed by a sequence of whitespaces and the ".exe" extension appended to the end.

Other details

Lebreat.m modifies system hosts file in order to disable access to certain sites. Following hostnames are redirected to localhost IP address (127.0.0.1):

www.ca.com
 pandasoftware.com
 www.nai.com
 kaspersky.com
 www.f-secure.com
 download.mcafee.com
 tca.com
 www.my-etrust.com
 www.kaspersky.com
 www.sophos.com
 sophos.com
 mcafee.com
 www.mcafee.com
 symantec.com
 www.pandasoftware.com
 www.sarc.com
 trendmicro.com
 f-secure.com
 liveupdate.symantec.com
 us.mcafee.com
 www.symantec.com
 www.trendmicro.com


Detection



Detection Type: PC
Database: 2005-08-25_01



Technical Details: Jarkko Turkulainen amp; Ero Carrera; Aug 24th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More