F-Secure Virus Descriptions : Lovgate.AC
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | Lovgate.AC |
| ALIAS: | W32/Lovgate.ab@MM, WORM_LOVGATE.Z, W32/Lovgate-AB |
| ALIAS: | I-Worm.Lovgate.ac, W32/Lovgate.AC@mm |
| SIZE: | 108544 |
Lovgate.AC worm was found on May 17th, 2004. The worm spreads in
e-mails local and peer-to-peer networks. Additionally the worm
drops a backdoor to an infected system. The backdoor listens on
port 30128.
The worm's file is a PE executable 108544 bytes long packed once
with JDPack and twice with ASPack file compressors. The worm's
file contains a backdoor DLL in its body. The backdoor's size is
53760 bytes.
Installation to system
When the worm's file is run, it installs itself to system. First
it copies itself as RAVMOND.EXE to Windows System directory and
then modifies WIN.INI file to run the worm's executable every
time Windows starts. This does not happen in NT-based systems as
WIN.INI is not used there.
Then the worm waits for 30 seconds and starts the thread that
periodically copies the worm's file as IEXPLORE.EXE and
KERNEL66.DLL (with hidden, system and read-only attribute) to
Windows System folder.
Additionally the worm starts a thread that copies itself as
SYSTRA.EXE file to Windows folder. And on remotely infected
computers the worm copies itself as WinHelp.EXE to Windows System
folder and creates a separate registry key for that file.
Another thread of the worm copies its file to root folders of all
drives with the following names:
Important
WORK
setup
bak
letter
pass
book
email
PassWord
The worm's file is located inside a ZIP or RAR archive and can
have one of the following extension:
.exe
.com
.pif
.scr
Lovgate.AC worm copies itself as COMMAND.EXE to root folders of
available drives and creates the AUTORUN.INF file that starts the
worm's file when the drive is mounted.
Dropping a backdoor
The worm drops a backdoor into 3 differently named files, the
forth file is created by the backdoor itself:
MSJDBC11.DLL
MSSIGN30.DLL
ODBC16.DLL
LMMIB20.DLL
The backdoor DLL starts another copy of itself as a service named
"Windows Management Protocol v.0 (experimental)". After this
happens, the backdoor starts to listen on port 30128 for commands
from remote host.
Creating Registry Keys
Lovgate.AC worm creates startup keys for some of the dropped
files in System Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Program In Windows" = "%WinSysDir%\IEXPLORE.EXE"
"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"SystemTra" = "%WinDir%\SysTra.EXE"
where the %WinDir% represents Windows folder and %WinSysDir%
represents Windows System folder.
When the backdoor's DLL file is started, it also creates a
startup key for itself:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
Spreading in e-mails
The worm spreads as an attachment to e-mail messages. It uses 2
ways spreading - composing its own messages and replying to
messages that are received by a user of an infected computer.
Before spreading the worm looks for victims' e-mail addresses. It
opens Windows Address Book and searches e-mail addresses there.
Additionally the worm scans files with the following extensions
on local hard drives and ram disks:
.wab
.pl
.adb
.tbb
.dbx
.asp
.php
.sht
.htm
.txt
The worm ignores e-mail addresses if they contain any of the
following:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
spam
www
secur
abuse
The worm sends messages with variable subject and body text and
variable attachment name. The subject of an infected message can
be one of the following:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
test
The message body can be empty or can contain one of the
following:
pass
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
The attachment name is selected from one of the following
variants:
body
message
test
data
file
text
doc
readme
document
The attachment extension can be one of the following:
.bat
.cmd
.exe
.scr
.pif
The worm can also send itself inside a ZIP archive. In case
the worm sends itself in a ZIP archive, the worm's file inside
the archive can have 2 extensions. The first extension is
selected from the following variants:
.doc
.htm
.txt
The second extension can be:
.pif
.scr
.exe
There can be some space characters inserted before the second
extension.
The worm can fake the sender's e-mail address. The fake user name
is selected from the following variants:
john
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra
The domain name is selected from these variants:
aol.com
msn.com
yahoo.com
hotmail.com
The alternative way of spreading of the worm makes use of MAPI.
The worm logs in, reads e-mail messages through MAPI interface
and replies to them with the following:
'<sender's_name>' wrote:
====
<sender's_domain_name> account
====
<sender's_name> auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
Get your FREE <sender's_domain_name> now!
Re: <subject_of_e-mail>
<original_message_text>
The <sender's_domain_name> can be 'YAHOO.COM Mail' in some cases.
The <sender's_name> represents the name of the sender of the
original message, the <subject_of_e-mail> represents the subject
of original message and the <original_message_text> stays for the
original e-mail body text.
The attachment to the above described e-mail will have one of the
following names:
I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
The worm doesn't use any tricks to make its attachment run
automatically on recipients' computers. Only when a recipient
runs an infected attachment, his/her computer becomes infected
with the worm.
Spreading to Kazaa file sharing network
The worm spreads to Kazaa file sharing network. It locates a
shared folder of Kazaa and copies itself there with one of the
following names:
setup
W32Dasm
rainbowcrack-1.1-win
orcard_original_creak
HEROSOFT
word_pass_creak
Passware5.3
BlackIcePCPSetup_creak
REALONE
wrar320sc
The extension for the copied file is selected from the following
variants:
.pif
.scr
.exe
.bat
Spreading to local network
The worm spreads itself to local network. It enumerates network
shares and tries to connect to admin$ share using the following
passwords:
123
321
123456
654321
guest
administrator
admin
111111
666666
888888
abc
abcdef
abcdefg
12345678
abc123
root
1
111
1234
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
sql
server
passwd
password
12345
54321
pass
0
000000
00000000
007
110
11111111
12
121212
123123
1234567
123456789
123abc
123asd
2002
2003
2600
88888888
a
aaa
abcd
Admin
admin123
alpha
computer
database
enable
god
godblessyou
home
Internet
Login
login
love
mypass
mypass123
mypc
mypc123
oracle
owner
Password
pc
pw
pw123
pwd
secret
sex
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv
Administrator
Guest
If the worm successfully connects to a share, then it copies
itself to Windows System folder of a remote computer as
NetManager.exe file and starts that file as a remote service
named "Management NetWork Service Extensions". After the service
is started, the worm starts its initial speading cycle by
installing itself to system and copying its file around.
Also the worm copies itself to all folders of shared drives and
network shares with the following names:
HyperSnap-DX v4.51.01.exe
Adobe Photoshop6.0.zip.exe
HyperSnap-DX v5.20.01.exe
Star Wars Downloader.exe
Real-DRAW PRO v3.10.exe
WinZip v9.0 Beta Build 5480 crack.exe
CloneCD crack.exe
You_Life.JPG.pif
AAdobe Photoshop7.0 creak.pif
Swish2.00.pif
WinRAR V3.2.0 Beta 2.exe
Panda Crack.zip.exe
Download.exe
SWF Browser2.93.txt.exe
3D Flash Animator.rar.bat
Thank you.doc.exe
Each folder on a remote host has at least one worm's file after
the worm spreads in a network.
Payload
The worm shares %WinDir%\Media directory of an infected computer
to everyone as MEDIA.
The worm terminates processes if their names contain any of the
following substrings:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
Detection of Lovgate.AC was published in the following F-Secure
Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-05-18_01
Technical Details:
Alexey Podrezov, May 18th, 2004;
Description Updated:
Alexey Podrezov, May 19th, 2004;
F-Secure Corporation
|
