Lebreat/Reatle worm

A new worm called as Lebreat is propagating in the wild. This worm is identified as W32/Lebreat.A@mm by F-Secure. This is a mass-mailer and a network worm. Shortly after the initial version, more variants have been reported. The worm also has a backdoor, a trojan downloader and DoS (Denial of Service) attack capabilities.

This worm has aliases as Net-Worm.Win32.Lebreat.gen [Kaspersky Lab], W32/Reatle.gen@MM [McAfee], W32/Lebreat.C.worm [Panda], W32/Lebreat-C [Sophos], WORM_REATLE.C [Trend Micro] and W32.Reatle@mm [Symantec].

W32.Reatle.C@mm is the latest variant of W32.Reatle@mm, and is a mass-mailing worm that opens a back door and attempts to spread by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (mentioned in CERT-In Advisory CIAD-2004-10 and Microsoft Security Bulletin MS04-011) on TCP port 445.

Symantec has released a removal tool for this worm.

Users are advised to update their Antivirus software to mitigate the risk. For further details and instructions regarding disinfection refer to following URLs:

• http://www.f-secure.com/v-descs/lebreat.shtml
• http://securityresponse.symantec.com/avcenter/venc/data/
  w32.reatle.c@mm.html
• http://securityresponse.symantec.com/avcenter/venc/data/
  w32.reatle@mm.removal.tool.html
• http://vil.nai.com/vil/content/v_134885.htm
• http://www.sophos.com/virusinfo/analyses/w32lebreata.html
• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
  VName=WORM%5FREATLE%2EC&VSect=P
• http://www.viruslist.com/en/viruses/encyclopedia?virusid=88240

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003