Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


WINDOWS.EXE PROCESS INFORMATION

Process Name  : Windows.exe

Process Path : %SYSTEM%\windows.exe [ C:\Windows\System32\windows.exe ]

Process type    : Internet Worm

Malware Name : W32.Reatle@mm

Alias             : W32/Lebreat.A, Net-Worm.Win32.Lebreat.gen, WORM_REATLE.A, WORM_REATLE.C, I-Worm/Libreat.Gen

Threat level : Low

Process Details :

                     Windows.exe is dropped by Reatle worm. It is a mass mailing and network Worm, spreads using e-mail attachments and exploits a remote code execution vulnerability LSASS explained by Microsoft Security Bulletin MS04-011.

The infected mail subject will be one of the following

Bug
Error
Email
Mail Delivery System
Importnat Information
**WARNING** Your Account Currently Disabled.
Password
info
Hello
Message could not be delivered

The infected mail message body will be one of the following

Binary message is available.

Here are your banks documents

Important Notification checkout the attachment for more info.

The message contains Unicode characters and has been sent as a binary attachment.

The original message was included as an attachment.

We have temporarily suspended your email account checkout the attachment for more info.

You have successfully updated the password of your domain account checkout the attachment for more info.

Your Account Suspended checkout the document.

Your credit card was charged for $500 USD. For additional information see the attachment.

Your password has been updated checkout the document.
checkout the attachment.

Hello, I was in a hurry and I forgot to attach an important
document. Please see attached.

The infected mail attachment will be one of the following

about.cpl
about.doc.bat
about.scr
account-report.exe
admin.bat
archive.cpl
archive.exe
box.bat
box.scr
data.bat
data.scr
doc.pif
docs.cpl
docs.scr
document.cpl
document.exe
file.cpl
help.doc.exe
inbox.cpl
inbox.exe
order.cpl
order.exe
payment.doc.scr
read.cpl
read.exe
readme.cpl
readme.scr

The infected mail sample is given below

                     When the infected attachment is executed, copies itself to Windows System folder as ccapp.exe, Windows.exe and attach.tmp in the background. W32.Reatle@mm modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Symantec"= "C:\WINNT\System32\ccapp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"WIN"= "C:\WINNT\System32\windows.exe"

                     W32.Reatle@mm uses its own SMTP engine to send infected mails. It also performs DoS attack on security related web site. Reatle worm disables security features in Windows systems. It also downloads another worm in the infected system. Reatle worm appeared on 15th July 2005.

How can I protect my system?

                   Solo has incorporated windows.exe in its signature file to protect users from this worm attack. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats. 

How to remove this worm?

                   If you are already infected with Windows.exe process, download and install security patches from the link http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Then run Solo anti-virus scanner to remove the worm components.

                   Solo antivirus can detect and remove W32.Reatle@mm and its variants safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link