Content
W32/Reatle.gen@MM
- Type
- Virus
- SubType
- Discovery Date
- 07/15/2005
- Length
- various
- Minimum DAT
- 4536 (07/15/2005)
- Updated DAT
- 4649 (12/13/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 07/15/2005
- Description Modified
- 08/30/2005 4:05 PM (PT)
Tab Navigation
Characteristics
This detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:
- contains its own SMTP engine for mailing itself
- outgoing messages have spoofed From: address
- attempts to propagate to remote machines via two old exploits:
- attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.)
Symptoms
- Registry editor disabled via Registry key (see method of infection section)
- Task manager disabled via Registry key (see method of infection section)
- Existence of the specified files/Registry keys on the victim machine
Method of Infection
---- Update August 25, 2005 ---
File Size = 61,291 bytes or 14,848 bytes
Registry Keys Added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\winhost :%sysdir%\winhost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\PNP: "%sysdir%\wuaaclt.exe"
Files Added
%sysdir%\beagle.exe - detected as W32/Bagle.cb @MM virus
%sysdir%\mcafee.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.tmp - detected as W32/Reatle.gen @MM virus
%windir%\bagle.exe - detected as W32/Bagle.cb @MM virus
%windir%\scan.exe - detected as W32/Reatle.gen @MM virus
%windir%\sgm.dll - This is a text file containing all the e-mail addresses harvested from the system.
Also adds multiple copies of itself in %sysdir% with blank name. For example " .exe".
*Where %sysdir%
= c:\WINDOWS\system32\ and %windir%=c:\WINDOWS in XP
Modifies host file and adds following entries
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 f-secure.com
127.0.0.1 trendmicro.com
127.0.0.1 www.sarc.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 www.sophos.com
127.0.0.1 www.kaspersky.com
127.0.0.1 ca.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.nai.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.ca.com
Spoofs the messages from
root@
rating@
postmaster@
noone@
nobody@
info@
help@
gold-certs@
contract@
bugs@
anyone@
and from the following domains
@microsoft
@messagelab
@iana
@avp.
@trendmicro.com
@sarc.com
@msn.com
@f-secure.com
@securityfocus.com
@security.com
@kaspersky.com
@symantec.com
@sophos.com
@yahoo.com
@mcafee.com
@microsoft.com
@ca.com
@aol.com
@microsoft
@messagelab
@iana
@avp.
With the Message Body
Here is the file.
Message is in attach
See the attached file for details.
Pay attention at the attach.
Check attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
Please, read the document.
Your document is attached.
Please, have a look at the attached file.
See attach.
More info is in attach
Try this.
Your file is attached.
Read the attach.
With the Subject line
Encrypted document
Re: Hi
Site changes
Forum notify
Re: Protected message
Protected message
Fax Message
Update
Changes..
Notification
Re: Message Notify
Re: Incoming Msg
Re: Incoming Message
Incoming message
Re: Document
Re: Text message
Re: Thanks :)
Re: Thank you!
Re: Yahoo!
Re: Hello
Re: Msg reply
Drops its copies by the following names (possibly in each of the shared folders in the system). Looks for folder name having string "shar". Note: The same file names can also be used to drop its own copies in %sysdir% folder.
XXX hardcore images.exe
Windows Sourcecode update.doc .exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Serials.txt .exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
New document.doc .exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
winhost.tmp
t .exe
e images.exe
Additional to (http:// j0r.biz) it can contact the following websites
- postertog.de
- www.maiklibis.de
Listens on TCP ports
- 9955, 9958, 9112
----Finished Update August 25, 2005 ---
Installation
When run, the worm copies itself into the Windows system directory as ATTACH.TMP and CCAPP.EXE, for example:
- c:\WINDOWS\system32\ATTACH.TMP
- c:\WINDOWS\system32\CCAPP.EXE
The following Registry keys are set to hook system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "Symantec" = C:\WINDOWS\System32\ccapp.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Windows "Symantec" = C:\WINDOWS\System32\ccapp.exe
The worm attempts to hinder its discovery/removal by restricting access to the Registry editor and Task Manager, by setting the following keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\system "DisableRegistryTools" = 01, 00, 00, 00
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\system "DisableTaskMgr" = 01, 00, 00, 00
Mass-Mailing
The worm mails itself to email addresses harvested from the victim machine - files with the following extensions are harvested:
- rb
- asp
- txt
- adb
- tbb
- dbx
- html
- wab
- htm
The From: address of the outgoing messages is spoofed. For this the worm carries a large number of forenames in its body, and a list of domains:
- @nai.com
- @gmail.com
- @trendmicro.com
- @support.com
- @matrix.com
- @aol.com
- @ca.com
- @mcafee.com
- @arcor.com
- @antivirus.com
- @google.com
- @hotmail.com
- @yahoo.com
- @microsoft.com
- @msn.com
- @symantec.com
The attachment is a copy of the worm, with one of the following filenames:
- account-report.exe
- payment.doc (many spaces) .scr
- about.doc (many spaces) .bat
- help.doc (many spaces) .exe
- about.cpl
- archive.cpl
- about.scr
- archive.exe
- box.bat
- inbox.cpl
- box.scr
- inbox.exe
- docs.cpl
- admin.bat
- docs.scr
- read.cpl
- readme.cpl
- read.exe
- readme.scr
- data.scr
- file.cpl
- data.bat
- document.cpl
- doc.pif
- document.exe
- order.cpl
- order.exe
The worm avoids mailing itself to email addresses containing any of the following strings:
- icrosof
- .gov
- panda
- f-secur
- icrosoft
- winrar
- winzip
- @mcafee
- @trendmicro
- @mm
- @noreply
- @sopho
- @norman
- @virusli
- @norton
- @fsecure
- @panda
- @avp
- @microsoft
- @symantec
Download
The worm attempts to download a binary via a URL hardcoded in its body. Administrators should block access to the following domain:
h t t p://j0r.biz
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Reatle@mm (Symantec)
Characteristics
Characteristics -
This detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:
- contains its own SMTP engine for mailing itself
- outgoing messages have spoofed From: address
- attempts to propagate to remote machines via two old exploits:
- attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.)
Symptoms
Symptoms -
- Registry editor disabled via Registry key (see method of infection section)
- Task manager disabled via Registry key (see method of infection section)
- Existence of the specified files/Registry keys on the victim machine
Method of Infection
Method of Infection -
---- Update August 25, 2005 ---
File Size = 61,291 bytes or 14,848 bytes
Registry Keys Added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\winhost :%sysdir%\winhost.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\PNP: "%sysdir%\wuaaclt.exe"
Files Added
%sysdir%\beagle.exe - detected as W32/Bagle.cb @MM virus
%sysdir%\mcafee.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.tmp - detected as W32/Reatle.gen @MM virus
%windir%\bagle.exe - detected as W32/Bagle.cb @MM virus
%windir%\scan.exe - detected as W32/Reatle.gen @MM virus
%windir%\sgm.dll - This is a text file containing all the e-mail addresses harvested from the system.
Also adds multiple copies of itself in %sysdir% with blank name. For example " .exe".
*Where %sysdir%
= c:\WINDOWS\system32\ and %windir%=c:\WINDOWS in XP
Modifies host file and adds following entries
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 f-secure.com
127.0.0.1 trendmicro.com
127.0.0.1 www.sarc.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 www.sophos.com
127.0.0.1 www.kaspersky.com
127.0.0.1 ca.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.nai.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.ca.com
Spoofs the messages from
root@
rating@
postmaster@
noone@
nobody@
info@
help@
gold-certs@
contract@
bugs@
anyone@
and from the following domains
@microsoft
@messagelab
@iana
@avp.
@trendmicro.com
@sarc.com
@msn.com
@f-secure.com
@securityfocus.com
@security.com
@kaspersky.com
@symantec.com
@sophos.com
@yahoo.com
@mcafee.com
@microsoft.com
@ca.com
@aol.com
@microsoft
@messagelab
@iana
@avp.
With the Message Body
Here is the file.
Message is in attach
See the attached file for details.
Pay attention at the attach.
Check attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
Please, read the document.
Your document is attached.
Please, have a look at the attached file.
See attach.
More info is in attach
Try this.
Your file is attached.
Read the attach.
With the Subject line
Encrypted document
Re: Hi
Site changes
Forum notify
Re: Protected message
Protected message
Fax Message
Update
Changes..
Notification
Re: Message Notify
Re: Incoming Msg
Re: Incoming Message
Incoming message
Re: Document
Re: Text message
Re: Thanks :)
Re: Thank you!
Re: Yahoo!
Re: Hello
Re: Msg reply
Drops its copies by the following names (possibly in each of the shared folders in the system). Looks for folder name having string "shar". Note: The same file names can also be used to drop its own copies in %sysdir% folder.
XXX hardcore images.exe
Windows Sourcecode update.doc .exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Serials.txt .exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
New document.doc .exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
winhost.tmp
t .exe
e images.exe
Additional to (http:// j0r.biz) it can contact the following websites
- postertog.de
- www.maiklibis.de
Listens on TCP ports
- 9955, 9958, 9112
----Finished Update August 25, 2005 ---
Installation
When run, the worm copies itself into the Windows system directory as ATTACH.TMP and CCAPP.EXE, for example:
- c:\WINDOWS\system32\ATTACH.TMP
- c:\WINDOWS\system32\CCAPP.EXE
The following Registry keys are set to hook system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "Symantec" = C:\WINDOWS\System32\ccapp.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Windows "Symantec" = C:\WINDOWS\System32\ccapp.exe
The worm attempts to hinder its discovery/removal by restricting access to the Registry editor and Task Manager, by setting the following keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\system "DisableRegistryTools" = 01, 00, 00, 00
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\system "DisableTaskMgr" = 01, 00, 00, 00
Mass-Mailing
The worm mails itself to email addresses harvested from the victim machine - files with the following extensions are harvested:
- rb
- asp
- txt
- adb
- tbb
- dbx
- html
- wab
- htm
The From: address of the outgoing messages is spoofed. For this the worm carries a large number of forenames in its body, and a list of domains:
- @nai.com
- @gmail.com
- @trendmicro.com
- @support.com
- @matrix.com
- @aol.com
- @ca.com
- @mcafee.com
- @arcor.com
- @antivirus.com
- @google.com
- @hotmail.com
- @yahoo.com
- @microsoft.com
- @msn.com
- @symantec.com
The attachment is a copy of the worm, with one of the following filenames:
- account-report.exe
- payment.doc (many spaces) .scr
- about.doc (many spaces) .bat
- help.doc (many spaces) .exe
- about.cpl
- archive.cpl
- about.scr
- archive.exe
- box.bat
- inbox.cpl
- box.scr
- inbox.exe
- docs.cpl
- admin.bat
- docs.scr
- read.cpl
- readme.cpl
- read.exe
- readme.scr
- data.scr
- file.cpl
- data.bat
- document.cpl
- doc.pif
- document.exe
- order.cpl
- order.exe
The worm avoids mailing itself to email addresses containing any of the following strings:
- icrosof
- .gov
- panda
- f-secur
- icrosoft
- winrar
- winzip
- @mcafee
- @trendmicro
- @mm
- @noreply
- @sopho
- @norman
- @virusli
- @norton
- @fsecure
- @panda
- @avp
- @microsoft
- @symantec
Download
The worm attempts to download a binary via a URL hardcoded in its body. Administrators should block access to the following domain:
h t t p://j0r.biz
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
