W32/Lovgate-V

Discussion in 'malware problems & news' started by Marianna, May 7, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    I-Worm.LovGate.w, W32.Lovgate.Gen@mm, WORM_LOVGATE.V
    Type
    Win32 worm

    Description
    W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks.

    W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.

    The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which
    provide unauthorised remote access to the computer over a network.

    The worm drops ZIP files containing a copy of the worm onto accessible drives.
    The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list:

    WORK
    setup
    important
    bak
    letter
    pass

    The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM.

    In order to run automatically when Windows starts up W32/Lovgate-V creates the
    following registry entries:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Hardware Profile = <SYSTEM>\hxdef.exe
    Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
    Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    WinHelp = <SYSTEM>\WinHelp.exe
    Program In Windows = <SYSTEM>\IEXPLORE.EXE

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
    <WINDOWS>\SysTra.EXE

    HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe

    In addition W32/Lovgate-V copies itself to the file command.exe in the root folder and creates the file autorun.inf there containing an entry to run the dropped file upon system startup.

    W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, TXT,
    HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.

    Email have the following characteristics:

    Subject line:

    test
    hi
    hello
    Mail Delivery System
    Mail Transaction Failed
    Server Report
    Status
    Error

    Message text:

    It's the long-awaited film version of the Broadway hit. The message sent as a
    binary attachment.

    The message contains Unicode characters and has been sent as a binary
    attachment.

    Mail failed. For further assistance, please contact!

    Attached file:

    document
    readme
    doc
    text
    file
    data
    test
    message
    body

    followed by ZIP, EXE, PIF or SCR.

    W32/Lovgate-V also enables sharing of the Windows media folder and copies
    itself there using various filenames.

    The worm also attempts to reply to emails found in the user's inbox using the
    following filenames as attachments:

    the hardcore game-.pif
    Sex in Office.rm.scr
    Deutsch BloodPatch!.exe
    s3msong.MP3.pif
    Me_nude.AVI.pif
    How to Crack all gamez.exe
    Macromedia Flash.scr
    SETUP.EXE
    Shakira.zip.exe
    dreamweaver MX (crack).exe
    StarWars2 - CloneAttack.rm.scr
    Industry Giant II.exe
    DSL Modem Uncapper.rar.exe
    joke.pif
    Britney spears nude.exe.txt.exe
    I am For u.doc.exe

    The worm attempts to spread by copying itself to mounted shares using one of the following filenames:

    mmc.exe
    xcopy.exe
    winhlp32.exe
    i386.exe
    client.exe
    findpass.exe
    autoexec.bat
    MSDN.ZIP.pif
    Cain.pif
    WindowsUpdate.pif
    Support Tools.exe
    Windows Media Player.zip.exe
    Microsoft Office.exe
    Documents and Settings.txt.exe
    Internet Explorer.bat
    WinRAR.exe

    W32/Lovgate-V also attempts to spread via weakly protected remote shares by connecting using a password from an internal dictionary and copying itself as the file NetManager.exe to the system folder on the admin$ share.

    After successfully copying the file W32/Lovgate-V attempts to start it as the service "Windows Managment Network Service Extensions" on the remote computer.

    W32/Lovgate-V starts a logging thread that listens on port 6000, sends a notification email to an external address and logs received data to the file C:\Netlog.txt.

    W32/Lovgate-V attempts to terminate processes containing the following strings:

    rising
    SkyNet
    Symantec
    McAfee
    Gate
    Rfw.exe
    RavMon.exe
    kill
    Nav
    Duba
    KAV
    KV

    W32/Lovgate-V also overwrites EXE files on the system with copies of itself. The original files are saved with a ZMX extension.

    http://www.sophos.com/virusinfo/analyses/w32lovgatev.html
     
Thread Status:
Not open for further replies.