F-Secure Virus Descriptions : Lovgate.N
[Summary] | [Detailed Description] | [Detection]
|
|
|
A new variant of the Lovgate has been discovered on 23rd of September, 2003.
Multiple similarities can be found between this and previous versions. One of
the common features of this family of worms is the presence of a backdoor
component. This worm also is capable of sending e-mail by its own methods,
without having to rely on the Operating System's facilities.
The samples of the worm we have received so far have a length of 446464 bytes,
and are not packed.
The behaviour of the executable depends of the command line options specified
when loading it.
System Installation
The worm will create an event named "My I-WORM-2068 running!" on start-up and
terminate if the event already exists (which indicates that the worm is alreadry
running.)
It will copy itself to:
%WinSysDir%\rcpsrv.exe
%WinSysDir%\WinRpcsrv.exe
%WinSysDir%\syshelp.exe
%WinSysDir%\WinGate.exe -remoteshell
It will add an entry to the "win.ini" Windows initialization file so
"rcpsrv.exe" is executed every time Windows starts.
The executable "WinRpcsrv.exe" will be started as a service. The
"CreateServiceA" will call the worm with the "-start_server" command line
option.
The worm will add to the registry the following entries for the other binaries:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"syshelp" = %WinSysDir%\syshelp.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WinGate initialize" = %WinSysDir%\WinGate.exe -remoteshell
It will modify the file association of text files, so that when a file with TXT
extension is double clicked, the worm will be run instead. The worm will later
proceed to run "notepad.exe", so the user won't notice anything strange.
So the registry value:
[HLCR\txtfile\shell\open\command]
will be set to:
"winrpc.exe %1"
Backdoor
The backdoor component will listen on port 10168. And, as with previous
versions a pipe will be created, presenting the the attacker a login screen
with the following text:
"User Access Verification"
"Your PassWord:"
After introducing the correct password the attacker will be given a command line
interface to the infected machine.
Mass mailing component
The worm has its own SMTP engine with which will send messages which will have
the following appearance:
Subject: Cracks!
Message Body: Check our list and mail your requests!
Attachment: CrkList.exe
Subject: The patch
Message Body: I think all will work fine.
Attachment: Patch.exe
Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: LUPdate.exe
Subject: Do not release
Message Body: This is the pack ;)
Attachment: Pack.exe
Subject: Beta
Message Body: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe
Subject: Help
Message Body: I'm going crazy... please try to find the bug!
Attachment: Source.exe
Subject: Evaluation copy
Message Body: Test it 30 days for free.
Attachment: Setup.exe
Subject: Pr0n!
Message Body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe
Subject: Roms
Message Body: Test this ROM! IT ROCKS!.
Attachment: Roms.exe
Subject: Documents
Message Body: Send me your comments...
Attachment: Docs.exe
Local network spreading
When spreading through local networks, it will copy itself with names from the following list:
fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe
Detection in F-Secure Anti-Virus was published on September 23rd, 2003 with
update:
[FSAV_Database_Version]
Version=2003-09-23_02
Technical Details:
Ero Carrera
F-Secure Corporation, September 23rd, 2003
|
