lovgate.c on the rise

Discussion in 'malware problems & news' started by Pieter_Arntz, Feb 24, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Ranked 5th by messagelabs already:
    http://www.messagelabs.com/VirusEye/

    Lovgate.C appears to have fixed some previous problems with the e-mail spreading capabilities of the worm. It keeps the backdoor component running in the same port 10168. The B variant did drop 2 different dlls, while this one only drops one (as A variant does). It has apparently removed the keylogging component present in B variant.

    Source: http://www.f-secure.com/v-descs/lovgate.shtml
     
  2. FanJ

    FanJ Guest

    TrendMicro:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE.C

    Description:


    This malware is currently rapidly spreading in Taiwan, Australia, France, and Japan from where TrendLabs has received a significant number of infection reports. As of 1:02 AM, Trend has declared a Yellow Alert to control the spread of this malware.

    This worm effectively uses a relatively new social engineering trick by mimicking an autoreply message where it attaches itself. Recipients are enticed into opening the malware attachment since the mimicked message arrives as a reply to a familiar message.

    It has both backdoor and worm capabilities. As a worm, it spreads copies of itself via email and network-shared folders. As a backdoor, it allows remote users to access the system through port 10168.

    To spread across the network, it drops a copy of itself in network shared folders and subfolders using any of the following file names:

    fun.exe
    humor.exe
    docs.exe
    s3msong.exe
    midsong.exe
    billgt.exe
    Card.EXE
    SETUP.EXE
    searchURL.exe
    tamagotxi.exe
    hamster.exe
    news_doc.exe
    PsPGame.exe
    joke.exe
    images.exe
    pics.exe
    Through email, it sends itself by replying to all new messages received in Microsoft Outlook and Outlook Express with the following message:

    Subject: RE: <Original subject>
    Message body:
    "<infected machine>" wrote:
    ====

    <Body of sent mail>

    ====


    YAHOO.COM Mail auto-reply:

    ' I'll try to reply as soon as possible.
    Take a look to the attachment and send me your opinion! '

    Get your FREE YAHOO.COM Mail now!

    It uses the same file for the email attachment as the file it has dropped into the shared drives.

    By opening 10168, it allows remote users to access and manipulate the affected system, effectively compromising system security. It sends a notification to either of the following email addresses:

    54love@fescomail.net
    hacker117@163.com
    It runs on Windows 95, 98, ME, NT, 2000, and XP.
     
  3. FanJ

    FanJ Guest

Thread Status:
Not open for further replies.