Lovgate.W

Classification

Malware

-

-

Lovgate.W

Summary

A new variant of the Lovgate has been discovered on 5th of April, 2004.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm executable is packed with ASPack and JDPack.

Some of the text on the worm's executable has been scrambled using ROT13.

System Installation

It will copy itself to:

%sysdir%\RAVMOND.EXE 			

Adding an entry in WIN.INI to be loaded at Windows startup.

As well as to the location:

%sysdir%\hxdef.exe
 

For which an entry in the Windows Registry will be created:

[HKLM\'SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hardware Profile" = %sysdir%\hxdef.exe
 

Email Spreading

It will try to send email through Windows' MAPI. The messages sent through this method have the following characteristics.

The body will contain the text:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more
look to the attachment.
 

And attachment file name chosen from:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

When using its internal SMTP engine, messages will look like:

Subject:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
 Body: This is a multi-part message in MIME format.
Mail
failed.
For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary
attachment.
It's the long-awaited film version of the Broadway hit. The
message
sent as
a binary attachment.
 

Attachment name will be composed from a name chosen from:

document
readme
doc
text
file
data
test
message
body

followed by a extension like:

.pif
.scr
.exe
.cmd
.bat

P2P Spreading

It will copy itself to the Kazaa shared folder with names like:

wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
 

With extensions:

.exe
.scr
.pif
.bat

Local Network Spreading.

When copying itself to shared resources, the following filenames will be used:

WinRAR.exe
Internet Explorer.bat
Documents and Settings.txt.exe
Microsoft Office.exe
Windows Media Player.zip.exe
Support Tools.exe
WindowsUpdate.pif
Cain.pif
MSDN.ZIP.pif
autoexec.bat
findpass.exe
client.exe
i386.exe
winhlp32.exe
xcopy.exe
mmc.exe