[virusinfo] Sophos Anti-Virus IDE alert: W32/Lovgate-V
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 07 May 2004 09:13:21 -0700
From; Sophos Alert System:
Name: W32/Lovgate-V
Aliases: I-Worm.LovGate.w, W32.Lovgate.Gen@mm, WORM_LOVGATE.V
Type: Win32 worm
Date: 7 May 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Note: Sophos has been detecting W32/Lovgate-V since 01:43 GMT on
6 April. The detection was previously updated at 15:59 GMT on 15
April. This IDE has been issued to enhance detection.
Information about W32/Lovgate-V can be found at:
http://www.sophos.com/virusinfo/analyses/w32lovgatev.html
Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread
via email, network shares and filesharing networks.
W32/Lovgate-V copies itself to the Windows system folder as the files
WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows
folder as systra.exe.
The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll
which
provide unauthorised remote access to the computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible
drives.
The ZIP file may also carry a RAR extension. The name of the packed file is
chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the contained unpacked file is either PassWord, email or book,
with a file extension of EXE, SCR, PIF or COM.
In order to run automatically when Windows starts up W32/Lovgate-V creates
the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = <SYSTEM>\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = <SYSTEM>\WinHelp.exe
Program In Windows = <SYSTEM>\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
<WINDOWS>\SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe
In addition W32/Lovgate-V copies itself to the file command.exe in the root
folder and creates the file autorun.inf there containing an entry to run the
dropped file upon system startup.
W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, TXT,
HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.
Email have the following characteristics:
Subject line:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text:
It's the long-awaited film version of the Broadway hit. The message sent as
a
binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
Attached file:
document
readme
doc
text
file
data
test
message
body
followed by ZIP, EXE, PIF or SCR.
W32/Lovgate-V also enables sharing of the Windows media folder and copies
itself there using various filenames.
The worm also attempts to reply to emails found in the user's inbox using
the
following filenames as attachments:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The worm attempts to spread by copying itself to mounted shares using one of
the following filenames:
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe
W32/Lovgate-V also attempts to spread via weakly protected remote shares by
connecting using a password from an internal dictionary and copying itself
as the file NetManager.exe to the system folder on the admin$ share.
After successfully copying the file W32/Lovgate-V attempts to start it as
the service "Windows Managment Network Service Extensions" on the remote
computer.
W32/Lovgate-V starts a logging thread that listens on port 6000, sends a
notification email to an external address and logs received data to the file
C:\Netlog.txt.
W32/Lovgate-V attempts to terminate processes containing the following
strings:
rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV
W32/Lovgate-V also overwrites EXE files on the system with copies of itself.
The original files are saved with a ZMX extension.
Download the IDE file from:
http://www.sophos.com/downloads/ide/lovgatev.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
