From; Sophos Alert System: Name: W32/Lovgate-V Aliases: I-Worm.LovGate.w, W32.Lovgate.Gen@mm, WORM_LOVGATE.V Type: Win32 worm Date: 15 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. Sophos has received several reports of this worm from the wild. Note: Sophos has been detecting W32/Lovgate-V since 01:43 GMT on 6 April. This IDE has been issued to enhance detection. Information about W32/Lovgate-V can be found at: http://www.sophos.com/virusinfo/analyses/w32lovgatev.html Description W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks. W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe. The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which provide unauthorised remote access to the computer over a network. The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list: WORK setup important bak letter pass The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM. In order to run automatically when Windows starts up W32/Lovgate-V creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Hardware Profile = <SYSTEM>\hxdef.exe Microsoft NetMeeting Associates, Inc. = NetMeeting.exe Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg WinHelp = <SYSTEM>\WinHelp.exe Program In Windows = <SYSTEM>\IEXPLORE.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra = <WINDOWS>\SysTra.EXE HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe In addition W32/Lovgate-V copies itself to the file command.exe in the root folder and creates the file autorun.inf there containing an entry to run the dropped file upon system startup. W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. Email have the following characteristics: Subject line: test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error Message text: It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail failed. For further assistance, please contact! Attached file: document readme doc text file data test message body followed by ZIP, EXE, PIF or SCR. W32/Lovgate-V also enables sharing of the Windows media folder and copies itself there using various filenames. The worm also attempts to reply to emails found in the user's inbox using the following filenames as attachments: the hardcore game-.pif Sex in Office.rm.scr Deutsch BloodPatch!.exe s3msong.MP3.pif Me_nude.AVI.pif How to Crack all gamez.exe Macromedia Flash.scr SETUP.EXE Shakira.zip.exe dreamweaver MX (crack).exe StarWars2 - CloneAttack.rm.scr Industry Giant II.exe DSL Modem Uncapper.rar.exe joke.pif Britney spears nude.exe.txt.exe I am For u.doc.exe The worm attempts to spread by copying itself to mounted shares using one of the following filenames: mmc.exe xcopy.exe winhlp32.exe i386.exe client.exe findpass.exe autoexec.bat MSDN.ZIP.pif Cain.pif WindowsUpdate.pif Support Tools.exe Windows Media Player.zip.exe Microsoft Office.exe Documents and Settings.txt.exe Internet Explorer.bat WinRAR.exe W32/Lovgate-V also attempts to spread via weakly protected remote shares by connecting using a password from an internal dictionary and copying itself as the file NetManager.exe to the system folder on the admin$ share. After successfully copying the file W32/Lovgate-V attempts to start it as the service "Windows Managment Network Service Extensions" on the remote computer. W32/Lovgate-V starts a logging thread that listens on port 6000, sends a notification email to an external address and logs received data to the file C:\Netlog.txt. W32/Lovgate-V attempts to terminate processes containing the following strings: rising SkyNet Symantec McAfee Gate Rfw.exe RavMon.exe kill Nav Duba KAV KV W32/Lovgate-V also overwrites EXE files on the system with copies of itself. The original files are saved with a ZMX extension. Recovery Please follow the instructions for removing worms. Download the IDE file from: http://www.sophos.com/downloads/ide/lovgatev.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member