Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Reatle@MM Worms - Medium Risk by F-Secure


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:31 PM

Posted 15 July 2005 - 11:25 AM

This new emailer/downloader/network worm is sophisticated and starting to spread. F-Secure ranks it as Medium Risk currently.

W32/Reatle@MM Worms - Medium Risk by F-Secure
http://www.f-secure.com/v-descs/lebreat.shtml
http://vil.nai.com/vil/content/v_134885.htm

This detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:

1. Contains its own SMTP engine for mailing itself outgoing messages have spoofed From: address

2. Attempts to propagate to remote machines via two old exploits:

MS03-026 - DCom RPC

MS04-011 - LSASS

3. Attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.) The worm attempts to download a binary via a URL hardcoded in its body.

4. In addition the worm opens a backdoor on TCP port 8885.

5. Administrators should block access to the following domain ... Please do not go to this malicious site:

h t t p : / / j 0 r . b i z


6. Attachment names in the EMAIL message

The attachment is a copy of the worm, with one of the following filenames:

account-report.exe
payment.doc (many spaces) .scr
about.doc (many spaces) .bat
help.doc (many spaces) .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users