[email protected]

Aliases: CME-875, Win32.Reatle.A, Lebreat, Net-Worm.Win32.Lebreat.gen, W32/[email protected], W32/Lebreat-A
Variants: [email protected], [email protected], [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 15 Jul 2005
Damage: Medium

Characteristics: [email protected] is a mass-mailer and a network worm. Shortly after the first version, 2 more variants appeared. The worm also has a backdoor, a Trojan downloader and DoS (Denial of Service) attack capabilities. It is a slow infector, but inflicts medium damage to the infected computer.

More details about [email protected]

When [email protected] is executed, it copies itself as the following files: ccapp.exe, Windows.exe, and attach.tmp. It modifies the registry to ensure it loads every start up. It also modifies the registry so that it disables several Windows security features, several Windows security features, System Restore, and Task Manager and Registry Tools. It also gathers email addresses from files with the following extensions: .asp, .txt, .adb, .tbb, .dbx, .html, .htm, and .wab. It stores the gathered email addresses in the file xzy6.tmp. The worm uses its own SMTP engine to send itself to the email addresses that it finds. It opens an FTP server on TCP port 8885 and attempts to connect to a random range of IP addresses on TCP port 445. It downloads itself onto the newly infected computer if a successful connection is made.

The [email protected] application connects to a remote server. This server is commonly hard-coded in the program. It may be specified using a web or IP address. The backdoor software then waits for commands to execute in the infected system. This program can manipulate the files in the system. This includes both data and system files. They can be edited, moved, or deleted. Installed programs can be launched or closed without the user’s consent. The CD drives may open and close unexpectedly. Other malware applications can be added to the system. This includes adware, spyware, and Trojan software.