Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Lebreat.D

Win32/Lebreat.Dis a typical mass-mailing email worm, the size is around 15.000 bytes and the worm is runtime compressed / protected by MEW, a runtime executable packer. The worm has a backdoor component and tries to exploit the network via security vulnerabilities.

This threat affects the following operating systems:

Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows Server 2003, Windows XP

Installation and Autostart Techniques

Upon execution the worm copies itself into the %System% folder as " ccapp.exe" and places a file " attach.tmp" in this folder for outgoing email-attachments.

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The worm adds the following registry keys to the registry to make sure that he runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Symantec" = "%System%\ccapp.exe"

 HKLM\Software\Microsoft\Windows Windows NT\CurrentVersion\Windows
"Symantec" = "%System%\ccapp.exe"  

And it might add the following keys: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WIN" = "%System%\windows.exe"

 HKLM\Software\Microsoft\Windows Windows NT\CurrentVersion\Windows
"WIN" = "%System%\windows.exe"

 It also alternates the "EnableFirewall" values at the following registry keys:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\
HKCU \Software\Policies\Microsoft\WindowsFirewall\

The worm also tries to disable windows auto updating function by alternating

 HKLM\SOFTWARE\Policies\Microsoft\WindowsWindowsUpdate\AU

"NoAutoUpdate" = "1"
"AUOptions" = "1"

and

HKCU\Software\Policies\Microsoft\WindowsWindowsUpdate\AU
"NoAutoUpdate" = "1"
"AUOptions" = "1"

It also disables the Windows Security Center Warnings by alternating the following keys:

HKLM\SOFTWARE\Microsoft\Security Center

"AntiVirusDisableNotify" = "0"
"UpdatesDisableNotify" = "0"
"FirewallDisableNotify" = "0"


HKCU\Software\Microsoft\Security Center

"AntiVirusDisableNotify" = "0"
"UpdatesDisableNotify" = "0"
"FirewallDisableNotify" = "0"

The worm also tries to disable the system restore function by alternating the following keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
"DisableSR" = "1"  

HKCU\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
"DisableSR" = "1"

It disables the Windows Task-Manager and Registry-Tools via:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = "1"
"DisableRegistryTools" = "1"

 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = "1"
"DisableRegistryTools" = "1"

E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

adam admin alerts alex bob brenda brent dan david fred helen

jack jane jerry joe john jon josh leo linda mary matt michael

mike paul ray robert root sales steve support ted tom

Note: The worm might also use a spoofed email address collected during E-mail harvesting.

It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

 

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.asp, *.txt, *.adb, *.tbb, *.dbx, *.html, *.htm, *.wab

and stores it in %Windir%\xzy6.tmp.

The worm avoids e-mail addresses which contain parts of the following list:

icrosof, .gov, panda, f-secur, icrosoft, winrar, winzip, @mcafee,

@trendmicro, @mm, @noreply, @sopho, @norman, @virusli, @norton,

@fsecure, @panda, @avp, @microsoft, @symantec

Note: The first missing character should match, for instance, "Microsoft" as well as "microsoft".

E-mail subjects

It selects randomly an e-mail subject out of the following list:

  • Bug
  • Error
  • Email
  • info
  • Hello
  • Message could not be delivered
  • Mail Delivery System
  • Importnat Information
  • **WARNING** Your Account Currently Disabled.
  • Password

Message Body

 

The e-mail contains one of the following message texts:

  • Hello,I was in a hurry and I forgot to attach an important document. Please see attached.
  • Binary message is available.
  • Here are your banks documents
  • Your credit card was charged for $500 USD. For additional information see the attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • We have temporarily suspended your email account checkout the attachment for more info.
  • You have successfully updated the password of your domain account checkout the attachment for more info.
  • Important Notification checkout the attachment for more info.
  • Your Account Suspended checkout the document.
  • Your password has been updated checkout the document.
  • checkout the attachment.

 

E-mail Attachments

The worm attaches one of the following file names with a self-copy:

  • payment.doc { spaces } .scr
  • about.doc { spaces } .bat
  • help.doc {spaces } .exe
  • account-report.exe
  • about.cpl
  • about.scr
  • admin.bat
  • archive.cpl
  • archive.exe
  • box.bat
  • box.scr
  • data.bat
  • data.scr
  • doc.pif
  • docs.cpl
  • docs.scr
  • document.cpl
  • document.exe
  • file.cpl
  • inbox.cpl
  • inbox.exe
  • order.cpl
  • order.exe
  • read.cpl
  • read.exe
  • readme.cpl
  • readme.scr

Exploiting technologies

The worm generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using FTP-Commands file)

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm from the connecting system, and starts this file after downloading.

References:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

 Other Details:

The worm also provides FTP-Server-Backdoor functionality over TCP/IP Port 8885 and tries to perform a denial of service attack against www.symantec.com with randomly generated packets.

 The Win32/Lebreat.D worm tries to download and to install another worm, which is detected by NOD32 as "Win32/VB.NBY worm".

 The worm author tries to blame Symantec with hard-coded text-passages in the worm.

©1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission