Sasser's heirs spread slowly

Joris Evers CNET News

Published: 18 Jul 2005 09:30 BST

• 
• 
• 
• 
• 

A double-edged threat that attempts to hijack Windows PCs has surfaced in at least three variants, security companies warned on Friday.

The new pest, Lebreat, is a combined network worm and mass-mailing worm, F-Secure said. Once run on a PC, it installs a backdoor for hackers, downloads the mass-mailer code and attempts to launch a DoS attack that targets security giant Symantec's Web site, the Finnish antivirus specialist said. The malicious code is also known as Breatle and Reatle at other antivirus companies.

"This virus claims to be 'Breatle AntiVirus v1.0', and it spreads over both email and network vulnerabilities," F-Secure said in its advisory.

The network-worm part of Lebreat exploits a known Windows flaw in a component called the Local Security Authority Subsystem Service (LSASS), the security company said. The LSASS vulnerability was also used by the Sasser worm, F-Secure said in its advisory. Microsoft issued a patch for the LSASS flaw last year.

Lebreat is also a mass-mailer, which means it travels as an attachment in an email message.

Once installed, Lebreat harvests email address from the compromised PC and starts sending itself to those addresses. It also begins scanning the Internet for computers vulnerable to the LSASS flaw. On the PC, it installs the backdoor and attempts to tweak Windows settings to disable security features such as system restore and automatic updates, but fails to do so, F-Secure said.

As is common with email worms, Lebreat uses a number of subject lines, message body texts and names for the attachment, F-Secure said. One example of a body text is: "Your credit card was charged for $500 USD [£285]. For additional information see the attachment." The sender address is also faked.

Shortly after the first version of Lebreat appeared, two variants were detected, F-Secure said. The mutations have largely the same payload. F-Secure ranks Lebreat as a "Level 2" threat, which means it is causing large infections, according to a notice on the F-Secure Web site.

MessageLabs had stopped 5,636 copies of email messages containing Lebreat by late Friday morning, a company representative said. The email security specialist classifies it as a "medium outbreak".

Symantec has also detected the worm, but has not seen it spread widely, said Dave Cole, a director of product management at Symantec Security Response. Cole confirmed that the worm attempts to launch a DDoS attack against the Symantec Web site, but the company is not worried about it. "We don't expect this to create problems," he said.

To protect against Lebreat, as with other threats, users should be cautious when opening email attachments, apply security patches and run up-to-date antivirus software, security companies advised.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed