New Lebreat worm tries to attack corporate networks
July 15, 2005
Internet security companies warned today that a new worm virus discovered Thursday attempts to compromise corporate networks and PCs, and has so far surfaced in at least three different variants.
The new worm-virus, Lebreat, is a combined network worm and mass-mailing virus at the same time, F-Secure said. Once run on a PC, it installs a backdoor for hackers, downloads the mass-mailer code and attempts to launch a denial-of-service attack that targets security giant Symantec's Web site, the Finnish antivirus specialist said.
The malicious code is also known as Breatle and Reatle at other antivirus companies.
"This virus claims to be 'Breatle AntiVirus v1.0,' and it spreads over both e-mail and network vulnerabilities," F-Secure said.
The network-worm part of Lebreat exploits a known Windows flaw in a component called the Local Security Authority Subsystem Service, the security company said. The LSASS vulnerability was also used by the Sasser worm, F-Secure said in its advisory. Microsoft issued a patch for the LSASS flaw last year.
Lebreat is also a mass-mailer, which means it travels as an attachment in an e-mail message.
Once installed, Lebreat harvests e-mail address from the compromised PC and starts sending itself to those addresses.
It also begins scanning the Internet for computers vulnerable to the LSASS flaw. On the PC, it installs the backdoor and attempts to tweak Windows settings to disable security features such as system restore and automatic updates, but fails to do so, F-Secure said.
As is common with e-mail worms, Lebreat uses a number of subject lines, message body texts and names for the attachment, F-Secure said. One example of a body text is: "Your credit card was charged for $500 USD. For additional information see the attachment." The sender address is also faked.
Shortly after the first version of Lebreat appeared, two variants were detected, F-Secure said. The mutations have largely the same payload. F-Secure ranks Lebreat as a "Level 2" threat, which means it is causing large infections, according to a notice on the F-Secure Web site.
MessageLabs had stopped 5,636 copies of e-mail messages containing Lebreat by late morning on Friday, a company representative said. The e-mail security specialist classifies it as a "medium outbreak."
Symantec has also detected the worm, but has not seen it spread widely, said Dave Cole, a director of product management at Symantec Security Response. Cole confirmed that the worm attempts to launch a distributed denial-of-service attack against the Symantec Web site, but the company is not worried about it. "We don't expect this to create problems," he said.
To protect against Lebreat, as with other threats, users should be cautious when opening e-mail attachments, apply security patches and run up-to-date antivirus software, security companies advised.
Source: C-Net News
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing