Threat Description

Lovgate.W

Details

Aliases: Lovgate.W
Category: Malware
Type:
Platform: W32

Summary



A new variant of the Lovgate has been discovered on 5th of April, 2004.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The worm executable is packed with ASPack and JDPack.

Some of the text on the worm's executable has been scrambled using ROT13.

System Installation

It will copy itself to:

%sysdir%\RAVMOND.EXE
			

Adding an entry in WIN.INI to be loaded at Windows startup.

As well as to the location:

%sysdir%\hxdef.exe


For which an entry in the Windows Registry will be created:

[HKLM\'SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Hardware Profile" = %sysdir%\hxdef.exe
 

Email Spreading

It will try to send email through Windows' MAPI. The messages sent through this method have the following characteristics.

The body will contain the text:

If you can keep your head when all about you
 Are losing theirs and blaming it on you;
 If you can trust yourself when all men doubt you,
 But make allowance for their doubting too;
 If you can wait and not be tired by waiting,
 Or, being lied about,don't deal in lies,
 Or, being hated, don't give way to hating,
 And yet don't look too good, nor talk too wise;
 ... ... more  look to the attachment.
 

And attachment file name chosen from:

the hardcore game-.pif
 Sex in Office.rm.scr
 Deutsch BloodPatch!.exe
 s3msong.MP3.pif
 Me_nude.AVI.pif
 How to Crack all gamez.exe
 Macromedia Flash.scr
 SETUP.EXE
 Shakira.zip.exe
 dreamweaver MX (crack).exe
 StarWars2 - CloneAttack.rm.scr
 Industry Giant II.exe
 DSL Modem Uncapper.rar.exe
 joke.pif
 Britney spears nude.exe.txt.exe
 I am For u.doc.exe

When using its internal SMTP engine, messages will look like:

Subject:
 test
 hi
 hello
 Mail Delivery System
 Mail Transaction Failed
 Server Report
 Status
 Error
 
Body:
This is a multi-part message in MIME format.
 Mail  failed.  For further assistance, please contact!
 The message contains Unicode characters and has been sent as a binary
 attachment.
 It's the long-awaited film version of the Broadway hit. The  message  sent as
 a binary attachment.
 

Attachment name will be composed from a name chosen from:

document
 readme
 doc
 text
 file
 data
 test
 message
 body

followed by a extension like:

.pif
 .scr
 .exe
 .cmd
 .bat

P2P Spreading

It will copy itself to the Kazaa shared folder with names like:

wrar320sc
 REALONE
 BlackIcePCPSetup_creak
 Passware5.3
 word_pass_creak
 HEROSOFT
 orcard_original_creak
 rainbowcrack-1.1-win
 

With extensions:

.exe
 .scr
 .pif
 .bat

Local Network Spreading.

When copying itself to shared resources, the following filenames will be used:

WinRAR.exe
 Internet Explorer.bat
 Documents and Settings.txt.exe
 Microsoft Office.exe
 Windows Media Player.zip.exe
 Support Tools.exe
 WindowsUpdate.pif
 Cain.pif
 MSDN.ZIP.pif
 autoexec.bat
 findpass.exe
 client.exe
 i386.exe
 winhlp32.exe
 xcopy.exe
 mmc.exe



Detection


Detection in F-Secure Anti-Virus was published on April 5th, 2004 with update:
Detection Type: PC
Database: 2004-04-05_01



Description Created: Ero Carrera


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More