New Worm Lebreat poses as Anti Virus

An new mass mailer and network worm is on the loose called W32/Lebreat.A. The worm claims to be ‘Breatle AntiVirus v1.0’ and spreads over both email and via exploiting network vulnerabilities. The worm uses vulnerabilities in the RPC and LSASS services on Windows to propagate over networks. It also mass mails itself to people using a variable email message. Shortly after the initial infection was discovered 2 variants appeared.

The worm also has a backdoor, a Trojan downloader and a Denial of Service component, which it is understood it uses to attempt a DoS attack against ‘www.symantec.com’.

The worm itself is about 15k bytes long and has been compressed with the MEW file compressor and then patched with PE_Patch. When the worm is first run it installs itself into the Windows System directory as the file CCAPP.EXE and then creates Windows registry keys to ensure it starts up at reboot. It also makes a copy of itself in the Windows System folder in a file called ATTACH.TMP too, both files are created with hidden attributes.

When sending emails the worm looks for email addresses on the drives of the system, looking in various file types. The worm also tries to avoid sending emails to various anti-virus companies and US government. Then it sends a mail with the subject and text taken from a short list of possibles.

The attempts to spread using the LSASS exploit for the Windows vulnerability described in MS04-011.

The worm also tries to open a back door on TCP port 8885, this port is an FTP server that can be used to manipulate files on the infected PC. The worm also tries to change the security settings of Windows by adding or modifying certain registry values.

Finally it attempts to pull a Trojan from a remote web site, depending on which variant this could be a mass mailer or a backdoor Trojan.

You can find out more about Lebreat here at F-Secure.