Threat behavior
When Win32/Reatle.A@mm runs, it checks for the presence of a mutex named "Breatle AntiVirus v1.0". If the mutex exists, the worm exits. Otherwise, the worm takes the following actions:
-
Creates mutex "Breatle AntiVirus v1.0".
-
Creates copies of itself named attach.tmp and windows.exe in the Windows <system> folder. with the attributes of those files set to Hidden and System. The default <system> folder for Windows XP is C:\Windows\System32; for Windows NT/2000, the default system folder is C:\WinNT\System32; and for Windows 95/98/ME, the default system folder is C:\Windows\System.
-
Modifies the registry to cause itself to run automatically each time Windows starts:
Sets value: WIN
with data: <system>\windows.exe
in registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-
Modifies settings in the registry in an attempt to disable certain security-related settings. These modifications are not always successful. When successful, the modifications may prevent access to the Registry Editor, Task Manager, and other system tools.
-
Attempts to delete values in the registry related to Symantec software.
-
Starts an FTP server on TCP port 8885.
-
Performs the following actions if the host computer is connected to the internet:
-
Attempts a denial of service (DoS) attack against http://www.symantec.com.
-
Attempts to spread using FTP to randomly-selected IP addresses by exploiting the Windows Local Security Authority Subsystem Service (LSASS) vulnerability described in Microsoft Security Bulletin MS04-011.
- Downloads a file from a URL specified in the worm file, saves the downloaded file as %windir%\update3.exe, and runs the file.
- Searches for e-mail addresses in files with certain extensions, and saves those addresses in %windir%\xzy6.tmp.
-
Attempts to spread by sending a copy of itself as an e-mail attachment to e-mail addresses that it finds on the host computer, avoiding e-mail addresses that contain certain strings. The worm uses its own SMTP client so that the e-mails it sends do not appear in the "Sent" folder of the user's default e-mail client application. The worm spoofs the e-mail sender address by randomly selecting and concatenating a user name (such as "brenda") and a domain name (such as "microsoft.com") from a fixed list in the worm file. The e-mail subject line, message body, and attachment name are also randomly selected from lists in the worm file. The possible e-mail domains for the spoofed sender are as follows: antivirus.com, aol.com, arcor.com, ca.com, gmail.com, google.com, hotmail.com, matrix.com, mcafee.com, microsoft.com, msn.com, nai.com, support.com, symantec.com, trendmicro.com, yahoo.com. Following are two examples of e-mails that might be sent by Win32/Reatle.A@mm:
From: sales@matrix.com
Subject: Importnat Information
Message body:
Your credit card was charged for $500 USD. For additional information see the attachment.
Attachment: payment.doc<empty spaces>.scr
(Note: The word "Important" may be misspelled in the subject line of the e-mail, as shown in this example.)
From: admin@hotmail.com
Subject: **WARNING** Your Account Currently Disabled.
Message body: We have temporarily suspended your email account checkout the attachment for more info.
Attachment: read.exe
The message body of an e-mail sent by the worm may also be any of the following:
"Hello. I was in a hurry and I forgot to attach an important document. Please see attached."
"checkout the attachment."
"Your password has been updated checkout the document."
"Your Account Suspended checkout the document."
"Important Notification checkout the attachment for more info."
"You have successfully updated the password of your domain account checkout the attachment for more info."
"The original message was included as an attachment."
"Here are your banks documents "
"The message contains Unicode characters and has been sent as a binary attachment."
"Binary message is available."
Win32/Reatle.A@mm is detected by Microsoft as Win32/Reatle.A@mm!CME-875.
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
