Lebreat.m

Classification

Malware

Worm

W32

Lebreat.m, Net-Worm.Win32.Lebreat.m

Summary

Lebreat.m is a mass mailer and network worm spreading through a vulnerability in Windows Plug and Play service (MS05-039).

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm is a packed PE executable file 61291 bytes long.

Installation to system

When run, the worm copies itself under %SYSTEM% directory using the name 'winhost.exe' and creates mutexes named:

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo- MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

to make sure it only runs one copy of the worm at the same time.

Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "winhost" = "winhost.exe"

The worm will modify the hosts file in order to prevent the local users from accessing antivirus vendors' websites.

Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates several threads that connect to random IP addresses. If the exploit is successful the worm will spread to those hosts.

Please see the following page for detailed information on the vulnerability:

https://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Email Spreading

The worm will also spread by email. The messages will be composed from different string within the worm's body. Subjets will be chosen from:

"Re: Msg reply"
"Re: Hello"
"Re:"
"Re: Yahoo!"
"Re: Thank you!"
"Re: Thanks :)"
"Re: Text message"
"Re: Document"
"Incoming message"
"Re: Incoming Message"
"Re: Incoming Msg"
"Re: Message Notify"
"Notification"
"Changes.."
"Update"
"Fax Message"
"Protected message"
"Re: Protected message"
"Forum notify"
"Site changes"
"Re: Hi"
"Encrypted document"
 

The bodies for the messages will be selected among the following possibilities:

"Read the attach."
"Your file is attached."
"Try this."
"More info is in attach"
"See attach."
"Please, have a look at the attached fil"...
"Your document is attached."
"Please, read the document."
"Attach tells everything."
"Attached file tells everything."
"Check attached file for details."
"Check attached file."
"Pay attention at the attach."
"See the attached file for details."
"Message is in attach"
"Here is the file."
 

The attachment names will be composed with any of:

"Details.doc"
"doc"
"Info.doc"
"Information.doc"
"Message.doc"
"MoreInfo.doc"
"Readme.doc"
"Updates.doc"
"text_doc"
 

Followed by a sequence of whitespaces and the ".exe" extension appended to the end.

Other details

Lebreat.m modifies system hosts file in order to disable access to certain sites. Following hostnames are redirected to localhost IP address (127.0.0.1):

www.ca.com
pandasoftware.com
www.nai.com
kaspersky.com
www.f-secure.com
download.mcafee.com
tca.com
www.my-etrust.com
www.kaspersky.com
www.sophos.com
sophos.com
mcafee.com
www.mcafee.com
symantec.com
www.pandasoftware.com
www.sarc.com
trendmicro.com
f-secure.com
liveupdate.symantec.com
us.mcafee.com
www.symantec.com
www.trendmicro.com