LovGate.AG is a worm that spreads in e-mails, local and peer-to-peer networks. Additionally this worm drops a backdoor to an infected system.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
For more general information on disinfection, please see Removal Instructions.
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Installation into the System
When the worm is run, it creates copies of itself in the system using the following names:
- %windir%\system32\kernel66.dll (with hidden, system and read-only attribute)
In addition to this, it drops copies of itself to all available root drives using the filename, cdrom.com. Along with this, an AUTORUN.INF file is created to automatically execute the worm when the root drive is mounted.
This worm drops copies of its backdoor component using these filenames:
Creating Registry Keys
These registries are created by the malware to enable its automatic execution:
- [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]"run" = "RAVMOND.EXE"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\runServices]"SystemTra" = "%windir%\CdPlay.EXE"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"WinHelp" = "%windir%\system32\TkBellExe.exe"
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Hardware Profile" = "%windir%\system32\hxdef.exe"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Associates, Inc." = "iexplorer.exe"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Program In Windows" = "%windir%\system32\IEXPLORE.EXE"
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Shell Extension" = "%windir%\system32\spollsv.exe"
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
- [HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)]"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"
- [HKLM\System\CurrentControlSet\Services\_reg]"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"
Spreading via Network
It drops copies of itself as the following in network-shared directories:
- Documents and Settings.txt.exe
- Internet Explorer.bat
- Microsoft Office.exe
- Support Tools.exe
- Windows Media Player.zip.exe
The worm is able to spread itself to the local network. It enumerates network shares and attempts to connect to the admin$ share using the following passwords:
Once successfully connected, it proceeds to copy itself to the Windows System directory of the remote computer as NetManager.exe. This file is loaded as a remote service named "Windows Management NetWork Service Extensions".It shares the %windir%\media directory of an infected computer to everyone as MEDIA.
Spreading via E-mail
The worm spreads as an attachment to e-mail messages. It uses two methods when spreading - composing its own messages and replying to messages that are received by a user of an infected computer.Before spreading, the worm looks for victims' e-mail addresses. It opens Windows Address Book and searches e-mail addresses there. Additionally the worm scans files with the following extensions on local hard drives and ram disks:
The worm ignores e-mail addresses if they contain any of the following:
The worm sends messages with variable subject and body text and variable attachment name.The subject of an infected message can be one of the following:
- Mail Delivery System
- Mail Transaction Failed
- Server Report
The message body can be empty or can contain one of the following:
- It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
- Mail failed. For further assistance, please contact!
- The message contains Unicode characters and has been sent as a binary attachment.
The attachment name is selected from one of the following variants:
The attachment extension can be one of the following:
The worm can fake the sender's e-mail address. The fake user name is selected from the following variants:
The domain name is selected from these variants:
The alternative way of spreading of the worm makes use of MAPI. The worm logs in, reads e-mail messages through MAPI interface and replies to them with the following:
- Britney spears nude.exe.txt.exe
- Deutsch BloodPatch!.exe
- dreamweaver MX (crack).exe
- DSL Modem Uncapper.rar.exe
- How to Crack all gamez.exe
- I am For u.doc.exe
- Industry Giant II.exe
- Macromedia Flash.scr
- Sex in Office.rm.scr
- StarWars2 - CloneAttack.rm.scr
- the hardcore game-.pif
The worm doesn't use any tricks to make its attachment run automatically on recipients' computers. Only when a recipient runs an infected attachment does his computer becomes infected with the worm.
Spreading via Kazaa File Sharing Network
The worm spreads to the Kazaa file sharing network. It locates a shared folder of Kazaa and copies itself there with one of the following names:
The extension for the copied file is selected from the following variants:
This worm terminates several security-related processes and services such as:
- Rising Realtime Monitor Service
- Symantec AntiVirus Client
- Symantec AntiVirus Server