[pcductape] Virus Alert

  • From: "Martha Bagwell" <mabagwell@xxxxxxxxx>
  • To: <pcductape@xxxxxxxxxxxxx>
  • Date: Mon, 24 Feb 2003 16:54:11 -0600

LoveGate worm's got a hold on PCs
By Robert Lemos 
Staff Writer, CNET News.com
February 24, 2003, 12:08 PM PT

A mass-mailing computer virus compromised a moderate number of PCs worldwide on 
Monday, installing a Trojan horse program that allows a remote intruder easy 
access to a victim's system, said antivirus experts. 
Known as LoveGate, the LovGate.C program has many similarities to previous 
viruses: It is a binary program; it has its own e-mail engine, obviating the 
need to use another program such as Microsoft Outlook to send messages; and it 
attempts to use 16 simple passwords to break into and spread to other computers 
on the victim's network. 

"In terms of the technology that it uses, all the individual capabilities have 
been seen before," said Steve Trilling, senior director of research for 
security software company Symantec. The worm is a variant of the LovGate.A 
virus, also known as w32.lovegate@m, which was first seen on the Internet last 

Symantec rated the worm a "3"--or medium threat--on its five-point scale of 
computer-virus risk. Trilling said that to a large extent the level of the 
grade is due to the large number of incident submissions from 18 of the 
company's corporate clients. Rival firm Network Associates also rated LoveGate 
a medium threat. Both firms have updated the definitions available to allow 
their software to detect the worm. 

The LoveGate virus generally first appears as an attachment to an e-mail 
message. It uses typical social-engineering tricks--such as e-mail headers that 
promise free software, ask for help or advertise sexual content--to convince PC 
users to run the attached program. It then integrates itself with the victim's 
operating system.

As part of its attack, the worm installs and runs a Trojan horse program 
consisting of four files. When it runs, the program notifies the virus's author 
of the compromised machine's address via e-mail, and opens up port 10168. Ports 
are the software addresses used by applications running on one computer to 
communicate with other applications running on other systems across a network. 

By knowing the Internet address of the victim's computer, the port number and 
the password used by the Trojan horse, an intruder can take control of an 
infected PC. 

While the virus could be a security threat for infected companies and home 
users, it hasn't yet spread very widely. 

E-mail service provider MessageLabs intercepted nearly 4,000 e-mails containing 
the malicious program in the first 12 hours of its spread. The e-mails came 
from South Africa, the United Kingdom, Italy, Germany, Belgium, China and the 
United States. 

That falls well short of the propagation of the top-dog computer virus, Klez.H. 
Computers infected with the 10-month-old malicious computer program still 
produce more than 12,000 e-mails that are detected by MessageLabs every day. 

Two other viruses, Sobig and Yaha, are currently in the No. 2 and No. 3 slots 
on MessageLabs' list of most prevalent intercepted code. Both have created more 
than 4,000 e-mail messages that have been filtered by the company. 

Other related posts:

  • » [pcductape] Virus Alert