Threat Description

Email-Worm:​W32/LovGate.AG

Details

Aliases:Email-Worm:​W32/LovGate.AG, Email-Worm:​W32/LovGate.AG
Category:Malware
Type:Email-Worm
Platform:W32

Summary



LovGate.AG is a worm that spreads in e-mails, local and peer-to-peer networks. Additionally this worm drops a backdoor to an infected system.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

For more general information on disinfection, please see Removal Instructions.

Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.



Technical Details



Installation into the System

When the worm is run, it creates copies of itself in the system using the following names:

  • %windir%\system32\TkBellExe.exe
  • %windir%\system32\hxdef.exe
  • %windir%\system32\IEXPLORE.EXE
  • %windir%\system32\kernel66.dll (with hidden, system and read-only attribute)
  • %windir%\system32\RAVMOND.exe
  • %windir%\system32\Update_OB.exe
  • %windir%\CdPlay.EXE
  • %windir%\Exploier.exe

In addition to this, it drops copies of itself to all available root drives using the filename, cdrom.com. Along with this, an AUTORUN.INF file is created to automatically execute the worm when the root drive is mounted.

This worm drops copies of its backdoor component using these filenames:

  • %windir%\system32\MSSIGN30.DLL
  • %windir%\system32\ODBC16.dll
  • %windir%\system32\msjdbc11.dll

Creating Registry Keys

These registries are created by the malware to enable its automatic execution:

  • [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]"run" = "RAVMOND.EXE"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\runServices]"SystemTra" = "%windir%\CdPlay.EXE"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"WinHelp" = "%windir%\system32\TkBellExe.exe"
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Hardware Profile" = "%windir%\system32\hxdef.exe"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Associates, Inc." = "iexplorer.exe"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Program In Windows" = "%windir%\system32\IEXPLORE.EXE"
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Shell Extension" = "%windir%\system32\spollsv.exe"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
  • [HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)]"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"
  • [HKLM\System\CurrentControlSet\Services\_reg]"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"

Spreading via Network

It drops copies of itself as the following in network-shared directories:

  • autoexec.bat
  • Cain.pif
  • client.exe
  • Documents and Settings.txt.exe
  • findpass.exe
  • i386.exe
  • Internet Explorer.bat
  • Microsoft Office.exe
  • mmc.exe
  • MSDN.ZIP.pif
  • Support Tools.exe
  • Windows Media Player.zip.exe
  • WindowsUpdate.pif
  • winhlp32.exe
  • WinRAR.exe
  • xcopy.exe

The worm is able to spread itself to the local network. It enumerates network shares and attempts to connect to the admin$ share using the following passwords:

  • 123
  • 321
  • 123456
  • 654321
  • guest
  • administrator
  • admin
  • 111111
  • 666666
  • 888888
  • abc
  • abcdef
  • abcdefg
  • 12345678
  • abc123
  • root
  • 1
  • 111
  • 1234
  • !@#$
  • asdf
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • sql
  • server
  • passwd
  • password
  • 12345
  • 54321
  • pass
  • 0
  • 000000
  • 00000000
  • 007
  • 110
  • 11111111
  • 12
  • 121212
  • 123123
  • 1234567
  • 123456789
  • 123abc
  • 123asd
  • 2002
  • 2003
  • 2600
  • 88888888
  • a
  • aaa
  • abcd
  • Admin
  • admin123
  • alpha
  • computer
  • database
  • enable
  • god
  • godblessyou
  • home
  • Internet
  • Login
  • login
  • love
  • mypass
  • mypass123
  • mypc
  • mypc123
  • oracle
  • owner
  • Password
  • pc
  • pw
  • pw123
  • pwd
  • secret
  • sex
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv
  • Administrator
  • Guest

Once successfully connected, it proceeds to copy itself to the Windows System directory of the remote computer as NetManager.exe. This file is loaded as a remote service named "Windows Management NetWork Service Extensions".It shares the %windir%\media directory of an infected computer to everyone as MEDIA.

Spreading via E-mail

The worm spreads as an attachment to e-mail messages. It uses two methods when spreading - composing its own messages and replying to messages that are received by a user of an infected computer.Before spreading, the worm looks for victims' e-mail addresses. It opens Windows Address Book and searches e-mail addresses there. Additionally the worm scans files with the following extensions on local hard drives and ram disks:

  • .adb
  • .asp
  • .dbx
  • .htm
  • .php
  • .sht
  • .tbb
  • .wab

The worm ignores e-mail addresses if they contain any of the following:

  • .gov
  • .mil
  • abuse
  • accoun
  • acketst
  • anyone
  • arin.
  • avp
  • be_loyal:
  • berkeley
  • borlan
  • bsd
  • bugs
  • certific
  • contact
  • example
  • fcnz
  • feste
  • fido
  • foo.
  • fsf.
  • gnu
  • gold-certs
  • google
  • gov.
  • help
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • math
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • ntivi
  • page
  • panda
  • pgp
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • spm
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • www
  • you
  • your

The worm sends messages with variable subject and body text and variable attachment name.The subject of an infected message can be one of the following:

  • Error
  • Hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status

The message body can be empty or can contain one of the following:

  • It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
  • Mail failed. For further assistance, please contact!
  • The message contains Unicode characters and has been sent as a binary attachment.

The attachment name is selected from one of the following variants:

  • body
  • data
  • doc
  • document
  • file
  • message
  • readme
  • test
  • text

The attachment extension can be one of the following:

  • .bat
  • .cmd
  • .exe
  • .pif
  • .scr

The worm can fake the sender's e-mail address. The fake user name is selected from the following variants:

  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom

The domain name is selected from these variants:

  • aol.com
  • hotmal.com
  • msn.com
  • yahoo.com

The alternative way of spreading of the worm makes use of MAPI. The worm logs in, reads e-mail messages through MAPI interface and replies to them with the following:

  • Britney spears nude.exe.txt.exe
  • Deutsch BloodPatch!.exe
  • dreamweaver MX (crack).exe
  • DSL Modem Uncapper.rar.exe
  • How to Crack all gamez.exe
  • I am For u.doc.exe
  • Industry Giant II.exe
  • joke.pif
  • Macromedia Flash.scr
  • Me_nude.AVI.pif
  • s3msong.MP3.pif
  • SETUP.EXE
  • Sex in Office.rm.scr
  • Shakira.zip.exe
  • StarWars2 - CloneAttack.rm.scr
  • the hardcore game-.pif

The worm doesn't use any tricks to make its attachment run automatically on recipients' computers. Only when a recipient runs an infected attachment does his computer becomes infected with the worm.

Spreading via Kazaa File Sharing Network

The worm spreads to the Kazaa file sharing network. It locates a shared folder of Kazaa and copies itself there with one of the following names:

  • BlackIcePCPSetup_creak
  • HEROSOFT
  • orcard_original_creak
  • Passware5.3
  • rainbowcrack-1.1-win
  • REALONE
  • setup
  • W32Dasm
  • word_pass_creak
  • wrar320sc

The extension for the copied file is selected from the following variants:

  • .bat
  • .exe
  • .pif
  • .scr

Payload

This worm terminates several security-related processes and services such as:

  • MCAFEE
  • RAVMON.EXE
  • RFW.EXE
  • RISING
  • Rising Realtime Monitor Service
  • SKYNET
  • SYMANTEC
  • Symantec AntiVirus Client
  • Symantec AntiVirus Server





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More