A new variant of the Lovgate has been discovered on 5th of April, 2004.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm executable is packed with ASPack and JDPack.
Some of the text on the worm's executable has been scrambled using ROT13.
It will copy itself to:
%sysdir%\RAVMOND.EXE
Adding an entry in WIN.INI to be loaded at Windows startup.
As well as to the location:
%sysdir%\hxdef.exe
For which an entry in the Windows Registry will be created:
[HKLM\'SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Hardware Profile" = %sysdir%\hxdef.exe
It will try to send email through Windows' MAPI. The messages sent through this method have the following characteristics.
The body will contain the text:
If you can keep your head when all about you Are losing theirs and blaming it on you; If you can trust yourself when all men doubt you, But make allowance for their doubting too; If you can wait and not be tired by waiting, Or, being lied about,don't deal in lies, Or, being hated, don't give way to hating, And yet don't look too good, nor talk too wise; ... ... more look to the attachment.
And attachment file name chosen from:
the hardcore game-.pif Sex in Office.rm.scr Deutsch BloodPatch!.exe s3msong.MP3.pif Me_nude.AVI.pif How to Crack all gamez.exe Macromedia Flash.scr SETUP.EXE Shakira.zip.exe dreamweaver MX (crack).exe StarWars2 - CloneAttack.rm.scr Industry Giant II.exe DSL Modem Uncapper.rar.exe joke.pif Britney spears nude.exe.txt.exe I am For u.doc.exe
When using its internal SMTP engine, messages will look like:
Subject: test hi hello Mail Delivery System Mail Transaction Failed Server Report Status Error Body: This is a multi-part message in MIME format. Mail failed. For further assistance, please contact! The message contains Unicode characters and has been sent as a binary attachment. It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
Attachment name will be composed from a name chosen from:
document readme doc text file data test message body
followed by a extension like:
.pif .scr .exe .cmd .bat
It will copy itself to the Kazaa shared folder with names like:
wrar320sc REALONE BlackIcePCPSetup_creak Passware5.3 word_pass_creak HEROSOFT orcard_original_creak rainbowcrack-1.1-win
With extensions:
.exe .scr .pif .bat
When copying itself to shared resources, the following filenames will be used:
WinRAR.exe Internet Explorer.bat Documents and Settings.txt.exe Microsoft Office.exe Windows Media Player.zip.exe Support Tools.exe WindowsUpdate.pif Cain.pif MSDN.ZIP.pif autoexec.bat findpass.exe client.exe i386.exe winhlp32.exe xcopy.exe mmc.exe