F-Secure
Tools
Email-Worm:W32/LovGate.AG
Summary
LovGate.AG is a worm that spreads in e-mails, local and peer-to-peer networks. Additionally this worm drops a backdoor to an infected system.
Disinfection
Disinfection of Network Worms
A network worm uses local network (LAN) to spread itsself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if F-Secure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such action will allow to protect already cleaned workstations connected to an infected network from further re-infection by a network worm.
For instructions on how to eliminate an outbreak of a network worm please visit this page:
http://www.f-secure.com/v-descs/netdisinf.shtml
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is automatically removed by F-Secure Anti-Virus (FSAV) starting from version 5.40. Malware files get automatically renamed by FSAV, so they can not be started any more. In some rare cases, when automatic disinfection is not possible, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
To manually disinfect standalone malware (backdoors, worms, trojans, etc.) it's usually enough to delete all infected files from a computer and to restart it. Active malware files are usually locked by operating system so different disinfection approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is recommended only for advanced users.
If Windows 95, 98 and ME operating system is used, it is recommended to restart a computer from a bootable system diskette and to delete an infected file from command prompt. For example if a malicious file named ABC.EXE is located in Windows folder, it is usually enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone. If Windows NT, 2000 or XP is used, a malicious file has to be renamed with a different extension (for example .VIR) and then a system has to be restarted. After restart a renamed malicious file will no longer be active and it can be easily deleted manually.
Malware Disinfection Tools
F-Secure provides disinfection tools for certain malware. These tools can be downloaded from this webpage:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
Windows System Restore Issues
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
Failed Disinfection
In some cases F-Secure Anti-Virus might not disinfect a system automatically. In this case please visit our Support pages:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/
A network worm uses local network (LAN) to spread itsself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if F-Secure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such action will allow to protect already cleaned workstations connected to an infected network from further re-infection by a network worm.
For instructions on how to eliminate an outbreak of a network worm please visit this page:
http://www.f-secure.com/v-descs/netdisinf.shtml
Automatic Disinfection
Usually standalone malware (backdoors, worms, trojans, etc.) is automatically removed by F-Secure Anti-Virus (FSAV) starting from version 5.40. Malware files get automatically renamed by FSAV, so they can not be started any more. In some rare cases, when automatic disinfection is not possible, a user can select disinfection action by him/herself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our authorised distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
To manually disinfect standalone malware (backdoors, worms, trojans, etc.) it's usually enough to delete all infected files from a computer and to restart it. Active malware files are usually locked by operating system so different disinfection approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is recommended only for advanced users.
If Windows 95, 98 and ME operating system is used, it is recommended to restart a computer from a bootable system diskette and to delete an infected file from command prompt. For example if a malicious file named ABC.EXE is located in Windows folder, it is usually enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone. If Windows NT, 2000 or XP is used, a malicious file has to be renamed with a different extension (for example .VIR) and then a system has to be restarted. After restart a renamed malicious file will no longer be active and it can be easily deleted manually.
Malware Disinfection Tools
F-Secure provides disinfection tools for certain malware. These tools can be downloaded from this webpage:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
Windows System Restore Issues
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into the special folder and copy it back to a hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issue occurs.
Failed Disinfection
In some cases F-Secure Anti-Virus might not disinfect a system automatically. In this case please visit our Support pages:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/
Additional Details
Installation into the System
When the worm is run, it creates copies of itself in the system using the following names:
In addition to this, it drops copies of itself to all available root drives using the filename, cdrom.com. Along with this, an AUTORUN.INF file is created to automatically execute the worm when the root drive is mounted.
This worm drops copies of its backdoor component using these filenames:
Creating Registry Keys
These registries are created by the malware to enable its automatic execution:
Spreading via Network
It drops copies of itself as the following in network-shared directories:
The worm is able to spread itself to the local network. It enumerates network shares and attempts to connect to the admin$ share using the following passwords:
Once successfully connected, it proceeds to copy itself to the Windows System directory of the remote computer as NetManager.exe. This file is loaded as a remote service named "Windows Management NetWork Service Extensions".
It shares the %windir%\media directory of an infected computer to everyone as MEDIA.
Spreading via E-mail
The worm spreads as an attachment to e-mail messages. It uses two methods when spreading - composing its own messages and replying to messages that are received by a user of an infected computer.
Before spreading, the worm looks for victims' e-mail addresses. It opens Windows Address Book and searches e-mail addresses there. Additionally the worm scans files with the following extensions on local hard drives and ram disks:
The worm ignores e-mail addresses if they contain any of the following:
The worm sends messages with variable subject and body text and variable attachment name.
The subject of an infected message can be one of the following:
The message body can be empty or can contain one of the following:
The attachment name is selected from one of the following variants:
The attachment extension can be one of the following:
The worm can fake the sender's e-mail address. The fake user name is selected from the following variants:
The domain name is selected from these variants:
The alternative way of spreading of the worm makes use of MAPI. The worm logs in, reads e-mail messages through MAPI interface and replies to them with the following:
The worm doesn't use any tricks to make its attachment run automatically on recipients' computers. Only when a recipient runs an infected attachment does his computer becomes infected with the worm.
Spreading via Kazaa File Sharing Network
The worm spreads to the Kazaa file sharing network. It locates a shared folder of Kazaa and copies itself there with one of the following names:
The extension for the copied file is selected from the following variants:
Payload
This worm terminates several security-related processes and services such as:
When the worm is run, it creates copies of itself in the system using the following names:
- %windir%\system32\TkBellExe.exe
- %windir%\system32\hxdef.exe
- %windir%\system32\IEXPLORE.EXE
- %windir%\system32\kernel66.dll (with hidden, system and read-only attribute)
- %windir%\system32\RAVMOND.exe
- %windir%\system32\Update_OB.exe
- %windir%\CdPlay.EXE
- %windir%\Exploier.exe
In addition to this, it drops copies of itself to all available root drives using the filename, cdrom.com. Along with this, an AUTORUN.INF file is created to automatically execute the worm when the root drive is mounted.
This worm drops copies of its backdoor component using these filenames:
- %windir%\system32\MSSIGN30.DLL
- %windir%\system32\ODBC16.dll
- %windir%\system32\msjdbc11.dll
Creating Registry Keys
These registries are created by the malware to enable its automatic execution:
- [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "RAVMOND.EXE" - [HKLM\Software\Microsoft\Windows\CurrentVersion\runServices]
"SystemTra" = "%windir%\CdPlay.EXE" - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WinHelp" = "%windir%\system32\TkBellExe.exe" - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hardware Profile" = "%windir%\system32\hxdef.exe" - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Associates, Inc." = "iexplorer.exe" - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Program In Windows" = "%windir%\system32\IEXPLORE.EXE" - [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shell Extension" = "%windir%\system32\spollsv.exe" - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" - [HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)]
"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server" - [HKLM\System\CurrentControlSet\Services\_reg]
"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"
Spreading via Network
It drops copies of itself as the following in network-shared directories:
- autoexec.bat
- Cain.pif
- client.exe
- Documents and Settings.txt.exe
- findpass.exe
- i386.exe
- Internet Explorer.bat
- Microsoft Office.exe
- mmc.exe
- MSDN.ZIP.pif
- Support Tools.exe
- Windows Media Player.zip.exe
- WindowsUpdate.pif
- winhlp32.exe
- WinRAR.exe
- xcopy.exe
The worm is able to spread itself to the local network. It enumerates network shares and attempts to connect to the admin$ share using the following passwords:
- 123
- 321
- 123456
- 654321
- guest
- administrator
- admin
- 111111
- 666666
- 888888
- abc
- abcdef
- abcdefg
- 12345678
- abc123
- root
- 1
- 111
- 1234
- !@#$
- asdf
- asdfgh
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- sql
- server
- passwd
- password
- 12345
- 54321
- pass
- 0
- 000000
- 00000000
- 007
- 110
- 11111111
- 12
- 121212
- 123123
- 1234567
- 123456789
- 123abc
- 123asd
- 2002
- 2003
- 2600
- 88888888
- a
- aaa
- abcd
- Admin
- admin123
- alpha
- computer
- database
- enable
- god
- godblessyou
- home
- Internet
- Login
- login
- love
- mypass
- mypass123
- mypc
- mypc123
- oracle
- owner
- Password
- pc
- pw
- pw123
- pwd
- secret
- sex
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv
- Administrator
- Guest
Once successfully connected, it proceeds to copy itself to the Windows System directory of the remote computer as NetManager.exe. This file is loaded as a remote service named "Windows Management NetWork Service Extensions".
It shares the %windir%\media directory of an infected computer to everyone as MEDIA.
Spreading via E-mail
The worm spreads as an attachment to e-mail messages. It uses two methods when spreading - composing its own messages and replying to messages that are received by a user of an infected computer.
Before spreading, the worm looks for victims' e-mail addresses. It opens Windows Address Book and searches e-mail addresses there. Additionally the worm scans files with the following extensions on local hard drives and ram disks:
- .adb
- .asp
- .dbx
- .htm
- .php
- .sht
- .tbb
- .wab
The worm ignores e-mail addresses if they contain any of the following:
- .gov
- .mil
- abuse
- accoun
- acketst
- anyone
- arin.
- avp
- be_loyal:
- berkeley
- borlan
- bsd
- bugs
- certific
- contact
- example
- fcnz
- feste
- fido
- foo.
- fsf.
- gnu
- gold-certs
- gov.
- help
- hotmail
- iana
- ibm.com
- icrosof
- icrosoft
- ietf
- info
- inpris
- isc.o
- isi.e
- kernel
- linux
- listserv
- math
- mit.e
- mozilla
- msn.
- mydomai
- nobody
- nodomai
- noone
- not
- nothing
- ntivi
- page
- panda
- pgp
- postmaster
- privacy
- rating
- rfc-ed
- ripe.
- ruslis
- samples
- secur
- sendmail
- service
- site
- soft
- somebody
- someone
- sopho
- spm
- submit
- support
- syma
- tanford.e
- the.bat
- unix
- usenet
- utgers.ed
- webmaster
- www
- you
- your
The worm sends messages with variable subject and body text and variable attachment name.
The subject of an infected message can be one of the following:
- Error
- Hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
The message body can be empty or can contain one of the following:
- It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
- Mail failed. For further assistance, please contact!
- The message contains Unicode characters and has been sent as a binary attachment.
The attachment name is selected from one of the following variants:
- body
- data
- doc
- document
- file
- message
- readme
- test
- text
The attachment extension can be one of the following:
- .bat
- .cmd
- .exe
- .pif
- .scr
The worm can fake the sender's e-mail address. The fake user name is selected from the following variants:
- adam
- alex
- alice
- andrew
- anna
- bill
- bob
- brenda
- brent
- brian
- claudia
- dan
- dave
- david
- debby
- fred
- george
- helen
- jack
- james
- jane
- jerry
- jim
- jimmy
- joe
- john
- jose
- julie
- kevin
- leo
- linda
- maria
- mary
- matt
- michael
- mike
- peter
- ray
- robert
- sam
- sandra
- serg
- smith
- stan
- steve
- ted
- tom
The domain name is selected from these variants:
- aol.com
- hotmal.com
- msn.com
- yahoo.com
The alternative way of spreading of the worm makes use of MAPI. The worm logs in, reads e-mail messages through MAPI interface and replies to them with the following:
- Britney spears nude.exe.txt.exe
- Deutsch BloodPatch!.exe
- dreamweaver MX (crack).exe
- DSL Modem Uncapper.rar.exe
- How to Crack all gamez.exe
- I am For u.doc.exe
- Industry Giant II.exe
- joke.pif
- Macromedia Flash.scr
- Me_nude.AVI.pif
- s3msong.MP3.pif
- SETUP.EXE
- Sex in Office.rm.scr
- Shakira.zip.exe
- StarWars2 - CloneAttack.rm.scr
- the hardcore game-.pif
The worm doesn't use any tricks to make its attachment run automatically on recipients' computers. Only when a recipient runs an infected attachment does his computer becomes infected with the worm.
Spreading via Kazaa File Sharing Network
The worm spreads to the Kazaa file sharing network. It locates a shared folder of Kazaa and copies itself there with one of the following names:
- BlackIcePCPSetup_creak
- HEROSOFT
- orcard_original_creak
- Passware5.3
- rainbowcrack-1.1-win
- REALONE
- setup
- W32Dasm
- word_pass_creak
- wrar320sc
The extension for the copied file is selected from the following variants:
- .bat
- .exe
- .pif
- .scr
Payload
This worm terminates several security-related processes and services such as:
- MCAFEE
- RAVMON.EXE
- RFW.EXE
- RISING
- Rising Realtime Monitor Service
- SKYNET
- SYMANTEC
- Symantec AntiVirus Client
- Symantec AntiVirus Server