W32/Lebreat.F is a mass mailing worm. This worm is a variant of W32/Lebreat.A. The worm will infect Windows systems and spreads through email.

This worm exploits LSASS and PnP vulnerabilities present in Windows as explained by Microsoft Security Bulletin MS04-011 and MS05-039.

The infected mail 'From' address prefix will be any one of the following;

admin
root
support
webmaster

the suffix after '@' character will be any one of the following domains;

@aol.com
@ca.com
@f-secure.com
@kaspersky.com
@mcafee.com
@microsoft.com
@msn.com
@sarc.com
@security.com
@securityfocus.com
@sophos.com
@symantec.com
@trendmicro.com
@yahoo.com

The subject of the infected mail will be any one of the following;

Re: Thanks :)
Re: Yahoo!
Fax Message
Forum notify
Incoming message
Site changes
Update
Hello
Changes..
Encrypted document
Notification
Protected message
Re: Thank you!
Re:
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
Re: Incoming Msg
Re: Message Notify
Re: Msg reply
Re: Protected message
Re: Text message

The body of the infected mail will be any one of the following;

Pay attention at the attach.
Please, have a look at the attached file.
Check attached file for details.
Check attached file.
Here is the file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Try this.
Your document is attached.
Your file is attached.
Attach tells everything.
Attached file tells everything.
Message is in attach
More info is in attach

The infected attachment will be any one of the following;

Information.doc [blank spaces] .exe
Updates.doc [blank spaces] .exe
Readme.doc [blank spaces] .exe
Info.doc [blank spaces] .exe
Document.doc [blank spaces] .exe
Details.doc [blank spaces] .exe
text_document.doc [blank spaces] .exe
MoreInfo.doc [blank spaces] .exe
Message.doc [blank spaces] .exe

Upon execution, the worm copies itself as winhost.exe and winhost.tmp in the Windows system folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also drops a copy of a trojan in the Windows folder and Windows system folder.

It downloads a copy of a worm from the following link;

http://[BLOCKED]/proto.com

To propogate itself, the worm copies itself in the following names to the folders containing the string "share".

Porno, sex, oral, anal cool, awesome!!.exe
Kaspersky Antivirus 5.0.exe
Microsoft Office 2003 Crack, Working!.exe
Serials.txt[blank spaces].exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc[blank spaces].exe
XXX hardcore images.exe
Ahead Nero 7.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
New document.doc[blank spaces].exe
New patch.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr

The worm also scans the files having the following extensions and collects all the available email addresses from the infected system;

xml, jsp, dbx, adb, cgi, sht, wab, asp, php, txt, eml, html and htm

The worm mails itself to these addresses using its own SMTP engine.

Microsoft has released the patch for the MS05-039 and MS04-011 vulnerabilities. It can be downloaded from the following links:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Users should apply these patches downloaded from the links provided above to remove the vulnerabilities inherent in the system.

This worm first appeared on 25th August, 2005.

 Other names of W32/Lebreat.F Worm:

This Worm is also known as W32/Lebreat-F, W32.Reatle.I@mm, WORM_REATLE.F.