UPDATE (2003-05-13)
Three new Lovgate variants known as Lovgate.I, Lovgate.J and
Lovgate.K have been found on May 13th, 2003. These are similar to
old Lovgate variants, but in addition, they infect executable
files. For more information see the bottom of the description.
UPDATE (2003-03-27 12:50 GMT)
F-Secure is upgrading Lovgate.F to level 2 because of the
increased number of infections. Lovgate.F is an e-mail and
network worm with backdoor capabilities. It attempts to gain
remote access using a longer list of passwords than previous
variants.
UPDATE (2003-03-25 13:30 GMT)
A new variant of Lovgate worm, Lovgate.G has been found on 25th
of March 2003. For more information see the bottom of the
description.
UPDATE (2003-03-24 13:30 GMT)
A new variant of Lovgate worm, Lovgate.F has been found on 24th
of March 2003. For more information see the bottom of the
description.
UPDATE (2003-02-24 10:30 GMT)
A new variant of Lovgate worm, Lovgate.C has been found on 24th
of February 2003. For more information see the bottom of the
description.
Lovgate.B is mass mailing and network worm which also has a backdoor
component.
Apart form the mass mailing functionality this worm can spread
through windows shares and steal users' passwords. It also has
backdoor capabilities listening in the port 10168, allowing the
attacker to perform different actions on the infected machine.
In all variants A, B and C, a dropped DLL sets another copy of the
backdoor on port 1192.
It sends the private information to the following addresses:
hello_dll@163.com
hacker117@163.com
The worm has its own SMTP engine and connects to the host
smtp.163.com to deliver its messages. The domain 163.com seems
to be a Chinese web portal.
The worm's executable is packed with ASPack
Lovgate copies itself to shares and shares' sub-folders with
names such as:
fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe
It tries the following usernames and passwords if the shares are
password protected:
Usernames:
guest
Administrator
Passwords:
"" (empty password)
"guest"
"123"
"321"
"123456"
"654321"
"administrator"
"admin"
"111111"
"666666"
"888888"
"abc"
"abcdef"
"abcdefg"
"12345678"
"abc123"
If it gains access, it will copy itself to file named "stg.exe"
in the "System32" Windows folder and it will attempt to run it.
It has key-logging capabilities and stores information it gathers
in the following files:
win32pwd.sys
win32add.sys
Lovgate.B copies itself in the Windows' system folder with the
following filenames:
WinGate.exe
WinRpcsrv.exe
syshelp.exe
winrpc.exe
rpcsrv.exe
It creates different entries in different configuration files and
windows register to run those copies:
For the registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
it creates the following subkeys:
"WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell"
"syshelp" = "%winsysdir%\syshelp.exe"
"Module Call initialize" = "rundll32.exe reg.dll ondll_reg"
Where '%winsysdir%' stands for Windows' system directory.
It also sets the registry key
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@ = %winsysdir%\winprc.exe "%1"
so the worm will execute each time the user double click on a text
file. When run it also launches Notepad, so nothing can be
noticed unless the default editor for text files was other than
Notepad.
It sets the following entry under the 'Windows' section in the
win.ini file:
[Windows]
Run=rpcsrv.exe
Lovgate.B drops the same DLL under the following names:
%winsysdir%\ily.dll
%winsysdir%\task.dll
%winsysdir%\reg.dll
%winsysdir%\1.dll
This variant also drops the keylogger DLL as:
%winsysdir%\win32vxd.dll
Among other things, those DLL's will be in charge of the
keylogging process and sending data back to the worm's creator.
The worm sends e-mail in two different ways. When it runs it
launches a thread that will send replies to messages found from
inbox using the MAPI Windows functions. The reply message will
have the following body:
I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
And, it searches for *.ht* files and sends messages to the
addresses found inside. The message will be composed from the
data in the following list:
Possible filenames of the email attachment are:
Docs.exe
Roms.exe
Sex.exe
Setup.exe
Source.exe
_SetupB.exe
Pack.exe
LUPdate.exe
Patch.exe
CrkList.exe
Possible subjects are:
Documents
Roms
Pr0n!
Evaluation copy
Help
Beta
Do not release
Last Update
The patch
Cracks!
Possible bodies are:
Send me your comments...
Test this ROM! IT ROCKS!.
Adult content!!! Use with parental advisory.
Test it 30 days for free.
I'm going crazy... please try to find the bug!.
Send reply if you want to be official beta tester.
This is the pack ;)
This is the last cumulative update.
I think all will work fine.
Check our list and mail your requests!
Lovgate.B is detected by F-Secure Anti-Virus with database:
Version=2003-02-20_01
The main difference of A variant is the lack of the automatic
reply to messages found from the inbox. Without that, its
spreading depends on availability of writable network shares and
*.ht* files where to find e-mail addresses.
Apart from that, most of its functionality is analogous to that
of the other known variants.
Lovgate.C appears to have fixed some previous problems with the
e-mail spreading capabilities of the worm. It keeps the backdoor
component running in the same port 10168. The B variant did drop
2 different DLLs, while this one only drops one (as A variant
does). It has apparently removed the keylogging component present
in B variant.
There are no major differences, it uses the same filenames when
copying itself into the computer.
Lovgate.C is detected by F-Secure Anti-Virus with database:
Version=2003-02-24_02
This variant is more primitive than the previous. When infecting network
shares, it doesn't try to guess passwords.
And as the A variant, it only sends e-mail to addresses it finds from *.ht*
files on the infected computer.
Lovgate.D is detected by F-Secure Anti-Virus with database:
Version=2003-02-24_04
This variant is an improved version. It contains a longer list of passwords to try when
attempting to gain access to shared resources:
"" (empty password)
"123"
"321"
"123456"
"654321"
"guest"
"administrator"
"admin"
"111111"
"666666"
"888888"
"abc"
"abcdef"
"abcdefg"
"12345678"
"abc123"
"root"
"1"
"111"
"1234"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"sql"
"server"
"passwd"
"password"
"12345"
"54321"
"pass"
"0 "
"000000"
"00000000"
"007"
"110"
"11111111"
"12"
"121212"
"123123"
"1234567"
"123456789"
"123abc"
"123asd"
"2002"
"2003"
"2600"
"88888888"
"a"
"aaa"
"abcd"
"Admin"
"admin123"
"alpha"
"computer"
"database"
"enable"
"god"
"godblessyou"
"home"
"Internet"
"Login"
"login"
"love"
"mypass"
"mypass123"
"mypc"
"mypc123"
"oracle"
"owner"
"Password"
"pc"
"pw"
"pw123"
"pwd"
"secret"
"sex"
"super"
"sybase"
"temp"
"temp123"
"test"
"test123"
"win"
"xp"
"xxx"
"yxcv"
"zxcv"
"Administrator"
"Guest"
It maintains the same basic functionality than previous versions, using the same SMTP server
to send e-mail to its author, as well as using the default Windows mail configuration.
It drops several DLLs into the system using different names than the previous variants.
It uses the following filenames when sending e-mail through MAPI.
"I am For u.doc.exe"
"Britney spears nude.exe.txt.exe"
"joke.pif"
"DSL Modem Uncapper.rar.exe"
"Industry Giant II.exe"
"StarWars2 - CloneAttack.rm.scr"
"dreamweaver MX (crack).exe"
"Shakira.zip.exe"
"SETUP.EXE"
"Macromedia Flash.scr"
"How to Crack all gamez.exe"
"Me_nude.AVI.pif"
"s3msong.MP3.pif"
"Deutsch BloodPatch!.exe"
"Sex in Office.rm.scr"
"the hardcore game-.pif"
It uses the following filenames when copying itself to shared resources:
"MSN Password Hacker and Stealer.exe"
"SIMS FullDownloader.zip.exe"
"Winrar + crack.exe"
"Star Wars II Movie Full Downloader.exe"
"MoviezChannelsInstaler.exe"
"Age of empires 2 crack.exe"
"CloneCD + crack.exe"
"Sex_For_You_Life.JPG.pif"
"AN-YOU-SUCK-IT.txt.pif"
"100 free essays school.pif"
"Mafia Trainer!!!.exe"
"Panda Titanium Crack.zip.exe"
"How To Hack Websites.exe"
"The world of lovers.txt.exe"
"autoexec.bat"
"Are you looking for Love.doc.exe"
Lovgate.F is detected by F-Secure Anti-Virus with database:
Version=2003-03-24_03
This variant is functionally identical to Lovgate.F.
Lovgate.G is detected by F-Secure Anti-Virus with database:
Version=2003-03-24_03
| VARIANT: | Lovgate.I Lovgate.J Lovgate.K Lovgate.L |
This new versions keep most of the functionality of the older ones,
with several additions. In this versions, the infecting component
is active, such component was present in the F variant but wasn't
never activated.
The filenames used when spreading through shares, as well as password
list, are identical as the ones included in the F variant.
It drops components under the following paths:
%winsysdir%\ily668.dll
%winsysdir%\Task688.dll
%winsysdir%\reg678.dll
%winsysdir%\win32vxd.dll
and the infecting part of the Logvate worm, which was not dropped by
previous variants is dropped in:
%windowsdir%\DRWTSN16.EXE
Where '%winsysdir%' stands for Windows' system directory and '%windowsdir%'
stands for Windows' directory.
The worm creates the following entries in the registry key
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
it creates the following subkeys:
"WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell"
"Remote Procedure Call Locator" = "rundll32.exe reg678.dll ondll_reg"
and under:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
adds an entry for the component in charge of infecting other files as:
"COM+ Event System" = "DRWTSN16.EXE"
It also sets the registry key
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@ = %winsysdir%\winexe.exe "%1" %*
so the worm will execute each time the user runs an executable file.
This variants tries to terminate several Anti-Virus processes if found
running in the system.
Detection of Lovgate.I, Lovgate.J and Lovgate.K was published in update:
Version=2003-05-13_03
Detection of Lovgate.L was published in update:
Version=2003-05-14_01
This variant retains the funtionality of the prevoius ones. The only changes
lie in the mail composition, where messages are composed from the following
elements:
Subjects are chosen from:
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement
And message bodies from:
-For further assistance, please contact!
-Copy of your message, including all the headers is attached.
-This is the last cumulative update.
-Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP
Photo/Denis Poroy) -Send reply if you want to be official beta tester.
-This message was created automatically by mail delivery software (Exim).
-It's the long-awaited film version of the Broadway hit. Set in the roaring
20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who
shoots her unfaithful lover (West).
-Adult content!!! Use with parental advisory.
-Patrick Ewing will give Knick fans something to cheer about Friday night.
-Send me your comments...
Attachment names from:
About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
Interesting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr
The list of passwords, message components (subjects, bodies) and filenames
used when spreading through shares are all as in Lovgate.M.
Detection of Lovgate.M was published in update:
Version=2003-06-18_03
Disinfection Tool
F-Secure provides a special tool to disinfect Lovgate worm. The
tool and the disinfection instructions are available on our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-lgate.zip
Currently the tool removes Lovgate.A, .B, .C, .D, .F, .G, .H, .I, .J, .K,
and .L worm variants.
[Analysis: Ero Carrera, Katrin Tocheva, Alexey Podrezov; F-Secure Corp; February 24th - September 23rd, 2003]
