| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Medium |
| |
| Name | W32/Lebreat-F |
| Type | Worm |
| How it spreads | Network Shares |
| Affected operating systems | Windows |
| Aliases | -- |
| Date of surface | 24 August 2005 |
Description |
This is a mass-mailing worm and backdoor for the Windows platform. It spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
It also contains the functionality to act as an ftp server allowing access to remote users. It will also attempt to download and execute a file from a predefined URL. |
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
This is a mass-mailing worm and backdoor for the Windows platform. It spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
It also contains the functionality to act as an ftp server allowing access to remote users. It will also attempt to download and execute a file from a predefined URL.
W32/Lebreat-F copies itself to any folders with names containing `shar` with the following filenames:
XXX hardcore images.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
W32/Lebreat-F will drop files to the following locations:
"Windows folder"\beagle.exe
"Windows system folder"\beagle.exe
"Windows folder"\scan.exe
"Windows folder"\sgm32.dll
"Windows system folder"\mcafee.exe
W32/Lebreat-F will move itself to the Windows system folder and create the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winhost
"Windows system folder"\winhost.exe
It will also copy itself to the following files located in the Windows system folder:
"several spaces".exe
e images.exe
e.doc"several spaces".exe
Windows Sourcecode update.doc"several spaces".exe
winhost.tmp
W32/Lebreat-F removes a large number of registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Lebreat-F will also send itself to email addressed harvested from the infected computer with the following attributes:
Subject line:
Changes..
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
Re: Incoming Msg
Re: Message Notify
Re: Msg reply
Re: Protected message
Re: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Site changes
Update
Message text:
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Encrypted document
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Try this.
webmaster
Your document is attached.
Your file is attached.
|
|
|
|
|
| |
|
|
|