This one is probably coming to a PC near you. Regards, Jim Kenzig The Kenzig Group http://thethin.net http://www.osmess.com http://worldofasp.com http://Portals.US http://virtualdotnet.com http://zoner.net http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE .C This malware is currently rapidly spreading in Taiwan, Australia, France, and Japan from where TrendLabs has received a significant number of infection reports. As of 1:02 AM, Trend has declared a Yellow Alert to control the spread of this malware. This worm effectively uses a relatively new social engineering trick by mimicking an autoreply message where it attaches itself. Recipients are enticed into opening the malware attachment since the mimicked message arrives as a reply to a familiar message. It has both backdoor and worm capabilities. As a worm, it spreads copies of itself via email and network-shared folders. As a backdoor, it allows remote users to access the system through port 10168. To spread across the network, it drops a copy of itself in network shared folders and subfolders using any of the following file names: * fun.exe * humor.exe * docs.exe * s3msong.exe * midsong.exe * billgt.exe * Card.EXE * SETUP.EXE * searchURL.exe * tamagotxi.exe * hamster.exe * news_doc.exe * PsPGame.exe * joke.exe * images.exe * pics.exe Through email, it sends itself by replying to all new messages received in Microsoft Outlook and Outlook Express with the following message: Subject: RE: <Original subject> Message body: "<infected machine>" wrote: ==== <Body of sent mail> ==== YAHOO.COM Mail auto-reply: ' I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! ' Get your FREE YAHOO.COM Mail now! Attachment: <file name of the dropped file> It uses the same file for the email attachment as the file it has dropped into the shared drives. By opening 10168, it allows remote users to access and manipulate the affected system, effectively compromising system security. It sends a notification to either of the following email addresses: * 54love@xxxxxxxxxxxxx * hacker117@xxxxxxx It runs on Windows 95, 98, ME, NT, 2000, and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use the Trend Micro System Cleaner <http://www.trendmicro.com/download/tsc.asp>. MANUAL REMOVAL INSTRUCTIONS Identifying the Malware Program Before proceeding to remove this malware, first identify the malware program. Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_LOVGATE.C. To do this, Trend Micro customers must download the latest pattern file </download/pattern.asp> and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner <http://housecall.antivirus.com>. Terminating the Malware Program This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs*, locate the malware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the following entries: syshelp = "%System%\syshelp.exe" WinGate initialize = "%System%\WinGate.exe -remoteshell" Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg" NOTE: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. Addressing Registry Shell Spawning Registry shell spawning executes the malware when a user tries to run an .TXT file. The following procedures should restore the registry to its original settings. In Registry Editor, in the left panel, double-click the following: HKEY_CLASSES_ROOT>txtfile>shell>open>command In the right panel, locate the registry entry: Default Check whether its data (in the rightmost column) is the path and file name of the malware file: "winrpc.exe %1" If the data is the malware file, right-click Default and select Modify to change its value. In the Value data input box, delete the existing value and type the default value: %System%\NOTEPAD.EXE %1 Click OK. Close Registry Editor. Removing Autostart Entries from System Files Malware autostart entries in system files must be removed before the system can be restarted safely. Open WIN.INI. To do this, click Start>Run, type WIN.INI, then press Enter. Under the [windows] section, locate and delete the file name of the malware file, rpcsvr.exe, from the following line: Run=rpcsvr.exe Close WIN.INI and click Yes when prompted to save. Disabling Malware Service Restart your machine to terminate the malware service. Additional Windows ME/XP Cleaning Instructions <http://www.trendmicro.com/en/security/advisories/win_me_clean.htm> Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_LOVGATE.C and WORM_LOVGATE.A. To do this, Trend Micro customers must download the latest pattern file </download/pattern.asp> and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner <http://housecall.antivirus.com>. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network <http://www.antivirus.com/banners/tracking.asp?si=88&bi=211&ul=/products/> or home PC <http://www.antivirus.com/banners/tracking.asp?si=88&bi=210&ul=/pc-cillin/>. ********************************************************* This Week's Sponsor - Neoware Now through March 31, 2003 Neoware is offering a Capio 500/Eon Proven 2100 for $299! Click the link below: http://www.neoware.com/promocp4a/thinnetban.html ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm