[THIN] ALERT: Lovegate Worm Spreading Fast in Europe
- From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
- To: ossecurityalert@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx,office2000@xxxxxxxxxxxxx, msexchange@xxxxxxxxxxxxx,thin@xxxxxxxxxxxxx
- Date: Mon, 24 Feb 2003 10:31:21 -0500
This one is probably coming to a PC near you.
Regards,
Jim Kenzig
The Kenzig Group
http://thethin.net
http://www.osmess.com
http://worldofasp.com
http://Portals.US
http://virtualdotnet.com
http://zoner.net
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE
.C
This malware is currently rapidly spreading in Taiwan, Australia, France,
and Japan from where TrendLabs has received a significant number of
infection reports. As of 1:02 AM, Trend has declared a Yellow Alert to
control the spread of this malware.
This worm effectively uses a relatively new social engineering trick by
mimicking an autoreply message where it attaches itself. Recipients are
enticed into opening the malware attachment since the mimicked message
arrives as a reply to a familiar message.
It has both backdoor and worm capabilities. As a worm, it spreads copies of
itself via email and network-shared folders. As a backdoor, it allows remote
users to access the system through port 10168.
To spread across the network, it drops a copy of itself in network shared
folders and subfolders using any of the following file names:
* fun.exe
* humor.exe
* docs.exe
* s3msong.exe
* midsong.exe
* billgt.exe
* Card.EXE
* SETUP.EXE
* searchURL.exe
* tamagotxi.exe
* hamster.exe
* news_doc.exe
* PsPGame.exe
* joke.exe
* images.exe
* pics.exe
Through email, it sends itself by replying to all new messages received in
Microsoft Outlook and Outlook Express with the following message:
Subject: RE: <Original subject>
Message body:
"<infected machine>" wrote:
====
<Body of sent mail>
====
YAHOO.COM Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '
Get your FREE YAHOO.COM Mail now!
Attachment: <file name of the dropped file>
It uses the same file for the email attachment as the file it has dropped
into the shared drives.
By opening 10168, it allows remote users to access and manipulate the
affected system, effectively compromising system security. It sends a
notification to either of the following email addresses:
* 54love@xxxxxxxxxxxxx
* hacker117@xxxxxxx
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend
Micro System Cleaner <http://www.trendmicro.com/download/tsc.asp>.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware
program.
Scan your system with Trend Micro antivirus and NOTE all files detected as
WORM_LOVGATE.C. To do this, Trend Micro customers must download the latest
pattern file </download/pattern.asp> and scan their system. Other Internet
users can use HouseCall, Trend Micro's free online virus scanner
<http://housecall.antivirus.com>.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the malware file or files
detected
earlier.
Select one of the detected files, then press either the End Task or the
End
Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running
processes.
To check if the malware process has been terminated, close Task Manager,
and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then
press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the following entries:
syshelp = "%System%\syshelp.exe"
WinGate initialize = "%System%\WinGate.exe -remoteshell"
Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"
NOTE: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT
and 2000, or C:\Windows\System32 on Windows XP.
Addressing Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to run an
.TXT file. The following procedures should restore the registry to its
original settings.
In Registry Editor, in the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its data (in the rightmost column) is the path and file
name
of the malware file:
"winrpc.exe %1"
If the data is the malware file, right-click Default and select Modify
to
change its value.
In the Value data input box, delete the existing value and type the
default
value:
%System%\NOTEPAD.EXE %1
Click OK.
Close Registry Editor.
Removing Autostart Entries from System Files
Malware autostart entries in system files must be removed before the system
can be restarted safely.
Open WIN.INI. To do this, click Start>Run, type WIN.INI, then press
Enter.
Under the [windows] section, locate and delete the file name of the
malware
file, rpcsvr.exe, from the following line:
Run=rpcsvr.exe
Close WIN.INI and click Yes when prompted to save.
Disabling Malware Service
Restart your machine to terminate the malware service.
Additional Windows ME/XP Cleaning Instructions
<http://www.trendmicro.com/en/security/advisories/win_me_clean.htm>
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as
WORM_LOVGATE.C and WORM_LOVGATE.A. To do this, Trend Micro customers must
download the latest pattern file </download/pattern.asp> and scan their
system. Other Internet users can use HouseCall, Trend Micro's free online
virus scanner <http://housecall.antivirus.com>.
Trend Micro offers best-of-breed antivirus and content-security solutions
for your corporate network
<http://www.antivirus.com/banners/tracking.asp?si=88&bi=211&ul=/products/>
or home PC
<http://www.antivirus.com/banners/tracking.asp?si=88&bi=210&ul=/pc-cillin/>.
*********************************************************
This Week's Sponsor - Neoware
Now through March 31, 2003
Neoware is offering a Capio 500/Eon Proven 2100
for $299! Click the link below:
http://www.neoware.com/promocp4a/thinnetban.html
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] ALERT: Lovegate Worm Spreading Fast in Europe
