From Symantec; W32.HLLW.Lovgate.C@mm Threat level: Category 3 Type: Worm Virus Definitions: February 24, 2003 or later (via LiveUpdate) Systems affected: Windows XP/2000 Pro/NT/Me/98/95 W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionality. There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This variant appears to have been re-compiled with a different compiler, and then packed with the same runtime compression utility as W32.HLLW.Lovgate@mm. To replicate, W32.HLLW.Lovgate.C@mm creates its own emails, adds infected attachments to each email, and then emails each infected message. The email message is one of the following: Subject: Documents Attachment: Docs.exe Body: Send me your comments... Subject: Roms Attachment: Roms.exe Body: Test this ROM! IT ROCKS!. Subject: Pr0n! Attachment: Sex.exe Body: Adult content!!! Use with parental advisory. Subject: Evaluation copy Attachment: Setup.exe Body: Test it 30 days for free. Subject: Help Attachment: Source.exe Body: I'm going crazy... please try to find the bug! Subject: Beta Attachment: _SetupB.exe Body: Send reply if you want to be official beta tester. Subject: Do not release Attachment: Pack.exe Body: This is the pack ;) Subject: Last Update Attachment: LUPdate.exe Body: This is the last cumulative update. Subject: The patch Attachment: Patch.exe Body: I think all will work fine. Subject: Cracks! Attachment: CrkList.exe Body: Check our list and mail your requests! See; http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@xxxxxxx _______________________________________ More information from Panda; http://www.pandasoftware.com Lovgate.C's armory includes its ability to trick users by sending itself out as a reply to unread messages in the Inbox. The e-mail it sends could have, among others, the following format: - Subject: Re: [subject text of the original e-mail] - Message text: [name of the user who sent the original mail] wrote: ==== > [text of the original mail] ==== I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! - The attached file could be any of the following: "BILLGT.EXE", "CARD.EXE", "DOCS.EXE", "FUN.EXE", "HUMOR.EXE", "HAMSTER.EXE", "IMAGES.EXE", "JOKE.EXE", "MIDSONG.EXE", "NEWS_DOC.EXE", "PICS.EXE", "PSPGAME.EXE", "S3MSONG.EXE", "SEARCHURL.EXE", "SETUP.EXE" or "TAMAGOTXI.EXE". Lovgate.C generates numerous copies of itself in all network shared folders and subfolders under names like: "FUN.EXE", "HUMOR.EXE", "NEWS_DOC.EXE", "PSPGAME.EXE", "JOKE.EXE", etc. Once again, it does this to entice unwitting users into running these infected files. In addition to spreading via e-mail and across local networks, Lovgate.C can act as a backdoor Trojan. It does this by opening a TCP port (normally 10168), making the computer vulnerable to external attacks. Refference; http://www3.ca.com/virusinfo/Virus.asp?ID=14380 http://f-secure.com/v-descs/lovgate.shtml http://www.idg.net/ic_1186067_9720_1-5073.html _______________________________________ Other variants; Lovgate-B http://www.sophos.com/virusinfo/analyses/w32lovgateb.html Lovgate-D http://www.sophos.com/virusinfo/analyses/w32lovgated.html Lovgate.E <http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=3 8916&sind=0> ______________________________________ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www.mwn.ca/ <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> See my Anti-Virus pages <http://www3.telus.net/mikebike/mikes_virus_page.htm> <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance Charter Member ~*~*~*~*~ Was this forwarded to you? Want to subscribe? Send an email to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=subscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject of "info 1stpickpchelp" without the quotes. If you wish to unsubscribe from our list send an email to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=unsubscribe To contact the list moderators send an email to 1stpickpchelp-moderators@xxxxxxxxxxxxx ~*~*~*~*~