McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Lebreat.m (Kaspersky)

• W32.Reatle.I@mm (Symantec)

• W32/Breatle.F@mm (F-prot)

• WORM_REATLE.F (Trend Micro)

Characteristics

This detection is for several variants of a mass-mailing worm written in MSVC, and packed with NSPACK. The worm bears the following characteristics:

• contains its own SMTP engine for mailing itself
  • outgoing messages have spoofed From: address
• attempts to propagate to remote machines via two exploits
  • PNP
  • LSASS
• Drops another file detected as W32/Bagle.cb@ MM virus. It also attempts to download 2 other binaries. At the time of writing, these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.)
  

Symptoms

• Existence of the specified files/Registry keys on the victim machine

Method of Infection

Registry Keys Added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\winhost :%sysdir%\winhost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\PNP: "%sysdir%\wuaaclt.exe"

Files Added

%sysdir%\beagle.exe - detected as W32/Bagle.cb @MM virus
%sysdir%\mcafee.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.tmp - detected as W32/Reatle.gen @MM virus
%windir%\bagle.exe - detected as W32/Bagle.cb @MM virus
%windir%\scan.exe - detected as W32/Reatle.gen @MM virus
%windir%\sgm.dll - This is a text file containing all the e-mail addresses harvested from the system.

Also adds multiple copies of itself in %sysdir% with blank name. For example "     .exe".

*Where %sysdir% = c:\WINDOWS\system32\ and %windir%=c:\WINDOWS in XP

Modifies host file and adds following entries

127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 f-secure.com
127.0.0.1 trendmicro.com
127.0.0.1 www.sarc.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 www.sophos.com
127.0.0.1 www.kaspersky.com
127.0.0.1 ca.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.nai.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.ca.com

Spoofs the messages from

root@
rating@
postmaster@
noone@
nobody@
info@
help@
gold-certs@
contract@
bugs@
anyone@

and from the following domains

@microsoft
@messagelab
@iana
@avp.
@trendmicro.com
@sarc.com
@msn.com
@f-secure.com
@securityfocus.com
@security.com
@kaspersky.com
@symantec.com
@sophos.com
@yahoo.com
@mcafee.com
@microsoft.com
@ca.com
@aol.com
@microsoft
@messagelab
@iana
@avp.

With the Message Body

Here is the file.
Message is in attach
See the attached file for details.
Pay attention at the attach.
Check attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
Please, read the document.
Your document is attached.
Please, have a look at the attached file.
See attach.
More info is in attach
Try this.
Your file is attached.
Read the attach.

With the Subject line

Encrypted document
Re: Hi
Site changes
Forum notify
Re: Protected message
Protected message
Fax Message
Update
Changes..
Notification
Re: Message Notify
Re: Incoming Msg
Re: Incoming Message
Incoming message
Re: Document
Re: Text message
Re: Thanks :)
Re: Thank you!
Re: Yahoo!
Re: Hello
Re: Msg reply

Drops its copies by the following names (possibly in each of the shared folders in the system). Looks for folder name having string "shar". Note: The same file names can also be used to drop its own copies in %sysdir% folder.

XXX hardcore images.exe
Windows Sourcecode update.doc                                           .exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Serials.txt                                           .exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
New document.doc                                           .exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
winhost.tmp
t                                           .exe
e images.exe

Additional to (http:// j0r.biz) it can contact the following websites

• postertog.de
• www.maiklibis.de

Listens on TCP ports

• 9955, 9958, 9112
  

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Lebreat.m (Kaspersky)

• W32.Reatle.I@mm (Symantec)

• W32/Breatle.F@mm (F-prot)

• WORM_REATLE.F (Trend Micro)

Characteristics

Characteristics -

This detection is for several variants of a mass-mailing worm written in MSVC, and packed with NSPACK. The worm bears the following characteristics:

• contains its own SMTP engine for mailing itself
  • outgoing messages have spoofed From: address
• attempts to propagate to remote machines via two exploits
  • PNP
  • LSASS
• Drops another file detected as W32/Bagle.cb@ MM virus. It also attempts to download 2 other binaries. At the time of writing, these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.)
  

Symptoms

Symptoms -

• Existence of the specified files/Registry keys on the victim machine

Method of Infection

Method of Infection -

Registry Keys Added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\winhost :%sysdir%\winhost.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run\PNP: "%sysdir%\wuaaclt.exe"

Files Added

%sysdir%\beagle.exe - detected as W32/Bagle.cb @MM virus
%sysdir%\mcafee.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.exe - detected as W32/Reatle.gen @MM virus
%sysdir%\winhost.tmp - detected as W32/Reatle.gen @MM virus
%windir%\bagle.exe - detected as W32/Bagle.cb @MM virus
%windir%\scan.exe - detected as W32/Reatle.gen @MM virus
%windir%\sgm.dll - This is a text file containing all the e-mail addresses harvested from the system.

Also adds multiple copies of itself in %sysdir% with blank name. For example "     .exe".

*Where %sysdir% = c:\WINDOWS\system32\ and %windir%=c:\WINDOWS in XP

Modifies host file and adds following entries

127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 f-secure.com
127.0.0.1 trendmicro.com
127.0.0.1 www.sarc.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 www.sophos.com
127.0.0.1 www.kaspersky.com
127.0.0.1 ca.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.nai.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.ca.com

Spoofs the messages from

root@
rating@
postmaster@
noone@
nobody@
info@
help@
gold-certs@
contract@
bugs@
anyone@

and from the following domains

@microsoft
@messagelab
@iana
@avp.
@trendmicro.com
@sarc.com
@msn.com
@f-secure.com
@securityfocus.com
@security.com
@kaspersky.com
@symantec.com
@sophos.com
@yahoo.com
@mcafee.com
@microsoft.com
@ca.com
@aol.com
@microsoft
@messagelab
@iana
@avp.

With the Message Body

Here is the file.
Message is in attach
See the attached file for details.
Pay attention at the attach.
Check attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
Please, read the document.
Your document is attached.
Please, have a look at the attached file.
See attach.
More info is in attach
Try this.
Your file is attached.
Read the attach.

With the Subject line

Encrypted document
Re: Hi
Site changes
Forum notify
Re: Protected message
Protected message
Fax Message
Update
Changes..
Notification
Re: Message Notify
Re: Incoming Msg
Re: Incoming Message
Incoming message
Re: Document
Re: Text message
Re: Thanks :)
Re: Thank you!
Re: Yahoo!
Re: Hello
Re: Msg reply

Drops its copies by the following names (possibly in each of the shared folders in the system). Looks for folder name having string "shar". Note: The same file names can also be used to drop its own copies in %sysdir% folder.

XXX hardcore images.exe
Windows Sourcecode update.doc                                           .exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
Serials.txt                                           .exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
New patch.exe
New document.doc                                           .exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Kaspersky Antivirus 5.0.exe
Ahead Nero 7.exe
winhost.tmp
t                                           .exe
e images.exe

Additional to (http:// j0r.biz) it can contact the following websites

• postertog.de
• www.maiklibis.de

Listens on TCP ports

• 9955, 9958, 9112
  

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A