Threat Description



Category: Malware
Platform: W32
Aliases: Lovgate.W


A new variant of the Lovgate has been discovered on 5th of April, 2004.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm executable is packed with ASPack and JDPack.

Some of the text on the worm's executable has been scrambled using ROT13.

System Installation

It will copy itself to:


Adding an entry in WIN.INI to be loaded at Windows startup.

As well as to the location:


For which an entry in the Windows Registry will be created:

[HKLM\'SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Hardware Profile" = %sysdir%\hxdef.exe   
Email Spreading

It will try to send email through Windows' MAPI. The messages sent through this method have the following characteristics.

The body will contain the text:

If you can keep your head when all about you  Are losing theirs and blaming it on you;  If you can trust yourself when all men doubt you,  But make allowance for their doubting too;  If you can wait and not be tired by waiting,  Or, being lied about,don't deal in lies,  Or, being hated, don't give way to hating,  And yet don't look too good, nor talk too wise;  ... ... more  look to the attachment.   

And attachment file name chosen from:

the hardcore game-.pif  Sex in Office.rm.scr  Deutsch BloodPatch!.exe  s3msong.MP3.pif  Me_nude.AVI.pif  How to Crack all gamez.exe  Macromedia Flash.scr  SETUP.EXE  dreamweaver MX (crack).exe  StarWars2 - CloneAttack.rm.scr  Industry Giant II.exe  DSL Modem Uncapper.rar.exe  joke.pif  Britney spears nude.exe.txt.exe  I am For u.doc.exe  

When using its internal SMTP engine, messages will look like:

Subject:  test  hi  hello  Mail Delivery System  Mail Transaction Failed  Server Report  Status  Error   Body: This is a multi-part message in MIME format.  Mail  failed.  For further assistance, please contact!  The message contains Unicode characters and has been sent as a binary  attachment.  It's the long-awaited film version of the Broadway hit. The  message  sent as  a binary attachment.   

Attachment name will be composed from a name chosen from:

document  readme  doc  text  file  data  test  message  body  

followed by a extension like:

.pif  .scr  .exe  .cmd  .bat  
P2P Spreading

It will copy itself to the Kazaa shared folder with names like:

wrar320sc  REALONE  BlackIcePCPSetup_creak  Passware5.3  word_pass_creak  HEROSOFT  orcard_original_creak  rainbowcrack-1.1-win   

With extensions:

.exe  .scr  .pif  .bat  
Local Network Spreading.

When copying itself to shared resources, the following filenames will be used:

WinRAR.exe  Internet Explorer.bat  Documents and Settings.txt.exe  Microsoft Office.exe  Windows Media  Support Tools.exe  WindowsUpdate.pif  Cain.pif  MSDN.ZIP.pif  autoexec.bat  findpass.exe  client.exe  i386.exe  winhlp32.exe  xcopy.exe  mmc.exe  


Detection in F-Secure Anti-Virus was published on April 5th, 2004 with update:

Detection Type: PC
Database: 2004-04-05_01

Description Details: Ero Carrera


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More