W32.Lovegate
virus- current information
A
new virus alert was issued on September 21th 2003. This
Lovegate virus variant (W32.HLLW.Lovgate@mm, WORM_LOVGATE.O,
Win32.Lovgate) is a mass-mailing worm. The original Lovegate
mass-mailing worm made its appearance on 2-23-2003. This
virus has a few unique twists. It sends out a virus-infected
reply to all the new messages found in the user’s
inbox in Outlook and Outlook Express.
Aliases: W32.HLLW.Lovgate@mm,
Win32.Lovgate, Win32.HLLM.Lovgate, Lovgate.N, I-Worm.Lovgate.n,
WORM_LOVGATE.O, I-Worm.LovGate.i, PE_LOVGATE.M-O, W32.HLLW.Lovgate.L@mm,
W32/Lovgate.l@M, Win32/Lovgate.L1
Route
of Infection: The Lovegate virus can spread
through a network quickly, making it a danger for business
computers and networked home computers. Win32.Lovgate
propagates via email and network shares. Lovegate also
has backdoor capabilities, which allows a remote malicious
user to access and control the system, leaving it adversely
compromised. In a network environment, the Lovegate virus
copies itself to shared folders. If those folders are
password protected, it cycles through many commonly used
passwords to try to gain access. Another reason to use
good alpha-numeric passwords that do not contain commonly
used words in the dictionary.
Most
devastating, however, is this virus’s backdoor capabilities
through its ability to open a TCP communications port on
the infected computer. This leaves the computer vulnerable
to remote attacks. In some cases, personal information
has been found to be sent to a China-based Web portal.
Win32.Lovgate
gets its target email recipients from *.HT* files found
in the infected system and uses its own SMTP (Simple Mail
Transfer Protocol) engine for its mass-mailing routine.
The email that it sends out may be any of the following:
Subject: Roms
Message Body: Test this ROM! IT ROCKS!.
Attachment: Roms.exe
Subject: Documents
Message Body: Send me your comments...
Attachment: Docs.exe
Subject: Evaluation
copy
Message Body: Test it 30 days for free.
Attachment: Setup.exe
Subject: Pr0n!
Message Body: Adult content!!! Use with
parental advisory.
Attachment: Sex.exe
Subject: Beta
Message Body: Send reply if you want to
be official beta tester.
Attachment: _SetupB.exe
Subject: Do
not release
Message Body: This is the pack ;)
Attachment: Pack.exe
Subject: Help
Message Body: I'm going crazy... please
try to find the bug!
Attachment: Source.exe
Subject: Last
Update
Message Body: This is the last cumulative
update.
Attachment: LUPdate.exe
Subject: Cracks!
Message Body: Check our list and mail your
requests!
Attachment: CrkList.exe
Subject: The
patch
Message Body: I think all will work fine.
Attachment: Patch.exe
Detection: Win32.Lovgate
employs autorun techniques, such as modification of the
WIN.INI file and the registry, to enable its automatic
execution at system startup.
This malware runs on Windows 95, 98, ME, 2000, NT, and XP.
Its presence in the system is indicated by the existence
of the following files in the default Windows system directory:
- WinRpcsrv.exe
- syshelp.exe
- winrpc.exe
- WinGate.exe
- rpcsrv.exe
Also
check the system folder for the presence of the following
files:
- IEXPLORE.EXE
- KERNEL66.DLL
- RAVMOND.EXE
- WINEXE.EXE
- WinDriver.exe
- WinGate.exe
- WinHelp.exe
The
following additional files are created by the worm to complete
its work:
WIN32VXD.DLL (32,768 bytes, DLL used by the worm to install
a Windows hook, identical to the one carried by Lovgate.L)
DRWTSN16.EXE (49,152 bytes, infects files with Lovgate.N,
identical to the one carried by Lovgate.L)
WIN32.TMP (temporary file created by the worm when infecting
files)
This
worm modifies the WIN.INI files and replaces the default
value of these Registry keys to invoke itself when the
user runs any executable file.
**
Please Note that many of the Lovegate variants
try to disable a number of virus detection / protection
programs. The worm attempts to terminate processes with
the following strings in the module name:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
Disinfection: Check
out these websites for disinfection instructions.
these are the sites I used to disinfect some friends computers:
Computer
Associates
McAfee
Steps:
1)download one of the above tools from another uninfected
computer.
2) copy the file onto your computer in the windows directory
3)restart your computer in safe mode
4) run the virus removal program
To
start Windows 2000 in Safe mode:
1. If the computer is running, shut down Windows and then
turn off the power.
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar
at the bottom of the screen, start tapping the F8 key. The
Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most
cases, it is the first item in the list and is selected by
default. (If it is not selected, use the arrow keys to select
it.)
5. Press Enter. The computer will start in Safe mode. This
can take a few minutes.
6. When you are finished with all troubleshooting, close
all programs and restart the computer as you normally would.
PLEASE
NOTE: Recent
outbreaks of computer viruses (actually technically worms)
have been attached within emails that appear to be coming
from someone you know or appear to be undeliverable messages.
Use extra caution when opening the email attachments. Any
email from SlickRock will only contain attachments with
the extensions .rtf ,htm or .pdf. Any files with the extensions .exe,
.bat, .scr , .vbs or .pif appearing to
be from us should be deleted immediately. If ever you are
uncertain about the validity of an email please call us.
|
>> Client
Login
