[1stPickPCHelp] Lovgate.C

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 26 Feb 2003 19:44:42 -0800

From Symantec;
   W32.HLLW.Lovgate.C@mm

Threat level:      Category 3
Type:              Worm
Virus Definitions: February 24, 2003 or later (via LiveUpdate)
Systems affected: Windows XP/2000 Pro/NT/Me/98/95
 

W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm.
This worm contains mass-mailing and backdoor functionality.
There are no major functionality differences between this
variant and W32.HLLW.Lovgate@mm. This variant appears to
have been re-compiled with a different compiler, and then
packed with the same runtime compression utility as
W32.HLLW.Lovgate@mm.

To replicate, W32.HLLW.Lovgate.C@mm creates its own
emails, adds infected attachments to each email, and
then emails each infected message. The email message is
one of the following:


Subject: Documents
Attachment: Docs.exe
Body: Send me your comments...

Subject: Roms
Attachment: Roms.exe
Body: Test this ROM! IT ROCKS!.

Subject: Pr0n!
Attachment: Sex.exe
Body: Adult content!!! Use with parental advisory.

Subject: Evaluation copy
Attachment: Setup.exe
Body: Test it 30 days for free.

Subject: Help
Attachment: Source.exe
Body: I'm going crazy... please try to find the bug!

Subject: Beta
Attachment: _SetupB.exe
Body: Send reply if you want to be official beta tester.

Subject: Do not release
Attachment: Pack.exe
Body: This is the pack ;)

Subject: Last Update
Attachment: LUPdate.exe
Body: This is the last cumulative update.

Subject: The patch
Attachment: Patch.exe
Body: I think all will work fine.


Subject: Cracks!
Attachment: CrkList.exe
Body: Check our list and mail your requests!

See;
http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@xxxxxxx
_______________________________________

More information from Panda;
http://www.pandasoftware.com

Lovgate.C's armory includes its ability to trick users by sending 
itself out as a reply to unread messages in the Inbox. 
The e-mail it sends could have, among others, the following format:

- Subject: Re: [subject text of the original e-mail]

- Message text: [name of the user who sent the original mail] 
wrote: ==== > [text of the original mail] ====

I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!

- The attached file could be any of the following: "BILLGT.EXE", 
"CARD.EXE", "DOCS.EXE", "FUN.EXE", "HUMOR.EXE", 
"HAMSTER.EXE", "IMAGES.EXE", "JOKE.EXE",
"MIDSONG.EXE", "NEWS_DOC.EXE", "PICS.EXE", 
"PSPGAME.EXE", "S3MSONG.EXE", "SEARCHURL.EXE", 
"SETUP.EXE" or "TAMAGOTXI.EXE". 

Lovgate.C generates numerous copies of itself in all network 
shared folders and subfolders under names like: 
"FUN.EXE", "HUMOR.EXE", "NEWS_DOC.EXE", "PSPGAME.EXE", 
"JOKE.EXE", etc. Once again, it does this to entice unwitting
users into running these infected files.

In addition to spreading via e-mail and across local networks, 
Lovgate.C can act as a backdoor Trojan. It does this by opening 
a TCP port (normally 10168), making the computer vulnerable 
to external attacks. 

Refference;
http://www3.ca.com/virusinfo/Virus.asp?ID=14380
http://f-secure.com/v-descs/lovgate.shtml
http://www.idg.net/ic_1186067_9720_1-5073.html
_______________________________________

Other variants;
Lovgate-B
http://www.sophos.com/virusinfo/analyses/w32lovgateb.html
Lovgate-D
http://www.sophos.com/virusinfo/analyses/w32lovgated.html

Lovgate.E 
<http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=3
8916&sind=0>
______________________________________

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www.mwn.ca/
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages  
<http://www3.telus.net/mikebike/mikes_virus_page.htm> 
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance Charter Member 



~*~*~*~*~
Was this forwarded to you?  Want to subscribe?  Send an email 
to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=subscribe.

For a complete list of email commands for our list send an email 
to ecartis@xxxxxxxxxxxxx with a subject of "info 1stpickpchelp" without the 
quotes.

If you wish to unsubscribe from our list send an email 
to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=unsubscribe

To contact the list moderators send an email to 
1stpickpchelp-moderators@xxxxxxxxxxxxx
~*~*~*~*~

Other related posts:

• » [1stPickPCHelp] Lovgate.C

1. Home
2. 1stpickpchelp
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---