When a variant of Win32/Reatle runs, it may perform the following actions:
- Drops itself under the %windir% and %windir%\system32 folder, such as:
windows.exe
system23.exe
winhost.exe
mcafee.exe
beagle.exe
attach.tmp
xface.tmp
winhost.tmp
update3.exe
bxt.com
xb12.dat
- Drops itself under "%ProgramFiles%\common files\microsoft share"
winamp 6 new!.exe
microsoft office 2003 crack, working!.exe
microsoft office xp working crack, keygen.exe
microsoft windows xp, winxp crack, working keygen.exe
windows sourcecode update.doc
ahead nero 7.exe
porno, sex, oral, anal cool, awesome!!.exe
e images.exe
kaspersky antivirus 5.0.exe
porno pics arhive, xxx.exe
- Adds itself to the auto start programs, such as:
Set "WIN" = "<system folder>\windows.exe", under key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Set "System" = "<system folder>\system23.exe", under key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Set "PNP" = "<system folder>\wuaaclt.exe", under key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Opens and listens on TCP ports for incoming FTP connections, such as
8885
8190
3351
2005
1155
9112
9958
9955
Tries to send itself to the client via normal FTP transfer.
- Downloads and executes files from internet, such as:
http://j0r.biz/update3.exe
http://j0r.biz/proto.com
- Creates Mutex, such as "Breatle AntiVirus v1.0"
- Attempts to disable System Restore, security program, Windows Firewall, Auto Update, Task Manager, Registry Editor by deleting registry keys such as:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Symantec.
Deletes value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symatec.
- Searches for E-mail addresses in the following files:
*.asp
*.txt
*.adb
*.tbb
*.dbx
*.html
*.wab
*.htm
writes E-mail addresses into file under %windir%\system32, such as
xzy6.tmp
xzip.tmp
sends mail to the addresses from the following names (before the @ sign):
support
admin
alex
david
bob
dan
brent
brenda
fred
ted
tom
leo
linda
paul
ray
mike
mary
john
jon
joe
josh
jerry
jack
jane
matt
robert
helen
michael
root
steve
sales
alerts
adam
with spoofed domains, such as
@nai.com
@gmail.com
@trendmicro.com
@support.com
@matrix.com
@aol.com
@ca.com
@mcafee.com
@arcor.com
@antivirus.com
@google.com
@hotmail.com
@yahoo.com
@microsoft.com
@msn.com
@symantec.com
with the E-mail subjects, such as:
- Message could not be delivered
- Bug
- Error
- Email
- Mail Delivery System
- Importnat Information
- **WARNING** Your Account Currently Disabled.
- Password
- info
- Hello
- Hi
- Re: Your file
- Your file!!
- Fw: Warning
- Fw: Message
- Warning
- Re: Warning
- Re: Well!
- Re: Good!
- Thank you!
- Thanks!
- Document
- Message
- Fax Message
- Protected message
- Notification
- Fw: Informartion
- Fw: Document
- Re: Text message
- Re: Hello
- Re: Thanks
- Re: Document
- Encrypted document
- Re: Hi
- My photos
- Hi! :-)
- Price
- Hello!
- The Account
- Your Account
- Well..
- Accounts department
- The E-mail message bodies may include the following messages:
- Here take your credit card information in the attached file.
Bye :)
- your file!!
- Pay attention at the attach.
- Message is in attach.
- Check attached file.
- Check attached file for details.
- Attached file tells everything.
- Attach tells everything.
- Read the attach.
- Looking forward for a response.
- Your account has been blocked for more information read the attachment file.
Empty
- Everything inside the attach.
- Your credit card was charged for $500 USD. For additional information see the attachment.
Binary message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
Here are your banks documents
- The original message was included as an attachment.
- We have temporarily suspended your email account checkout the attachment for more info.
- You have successfully updated the password of your domain account checkout the attachment for more info.
- Important Notification checkout the attachment for more info.
- Your Account Suspended checkout the document.
- Your password has been updated checkout the document. checkout the attachment.
- Hello, I was in a hurry and I forgot to attach an important document. Please see attached.
- The E-mail has an attachment with the name such as:
account-report.exe
payment.doc .scr
about.doc .bat
help.doc .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe
- Excludes the following domains when it sends E-mail:
f-secure
trendmicro
panda
ntivi
Mcafee
symantec
sopho
secunia
microsoft
norton
- Sends random packets to www.symantec.com.
- Attempts to connect to random IP addresses on port 445 to exploit the MS04-011 vulnerability.
- Blocks the access to the following websites by resolving them to 127.0.0.1:
download.mcafee.com
www.my-etrust.com
ca.com
www.ca.com
pandasoftware.com
www.nai.com
kaspersky.com
www.f-secure.com
www.kaspersky.com
www.sophos.com
mcafee.com
sophos.com
www.mcafee.com
symantec.com
www.pandasoftware.com
www.trendmicro.com
trendmicro.com
f-secure.com
liveupdate.symantec.com
us.mcafee.com
www.symantec.com
www.sarc.com