Threat Description

Lovgate.W

Details

Aliases: Lovgate.W
Category: Malware
Type:
Platform: W32

Summary


A new variant of the Lovgate has been discovered on 5th of April, 2004.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


The worm executable is packed with ASPack and JDPack.

Some of the text on the worm's executable has been scrambled using ROT13.

System Installation

It will copy itself to:

%sysdir%\RAVMOND.EXE 			  

Adding an entry in WIN.INI to be loaded at Windows startup.

As well as to the location:

%sysdir%\hxdef.exe   

For which an entry in the Windows Registry will be created:

[HKLM\'SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Hardware Profile" = %sysdir%\hxdef.exe   
Email Spreading

It will try to send email through Windows' MAPI. The messages sent through this method have the following characteristics.

The body will contain the text:

If you can keep your head when all about you  Are losing theirs and blaming it on you;  If you can trust yourself when all men doubt you,  But make allowance for their doubting too;  If you can wait and not be tired by waiting,  Or, being lied about,don't deal in lies,  Or, being hated, don't give way to hating,  And yet don't look too good, nor talk too wise;  ... ... more  look to the attachment.   

And attachment file name chosen from:

the hardcore game-.pif  Sex in Office.rm.scr  Deutsch BloodPatch!.exe  s3msong.MP3.pif  Me_nude.AVI.pif  How to Crack all gamez.exe  Macromedia Flash.scr  SETUP.EXE  Shakira.zip.exe  dreamweaver MX (crack).exe  StarWars2 - CloneAttack.rm.scr  Industry Giant II.exe  DSL Modem Uncapper.rar.exe  joke.pif  Britney spears nude.exe.txt.exe  I am For u.doc.exe  

When using its internal SMTP engine, messages will look like:

Subject:  test  hi  hello  Mail Delivery System  Mail Transaction Failed  Server Report  Status  Error   Body: This is a multi-part message in MIME format.  Mail  failed.  For further assistance, please contact!  The message contains Unicode characters and has been sent as a binary  attachment.  It's the long-awaited film version of the Broadway hit. The  message  sent as  a binary attachment.   

Attachment name will be composed from a name chosen from:

document  readme  doc  text  file  data  test  message  body  

followed by a extension like:

.pif  .scr  .exe  .cmd  .bat  
P2P Spreading

It will copy itself to the Kazaa shared folder with names like:

wrar320sc  REALONE  BlackIcePCPSetup_creak  Passware5.3  word_pass_creak  HEROSOFT  orcard_original_creak  rainbowcrack-1.1-win   

With extensions:

.exe  .scr  .pif  .bat  
Local Network Spreading.

When copying itself to shared resources, the following filenames will be used:

WinRAR.exe  Internet Explorer.bat  Documents and Settings.txt.exe  Microsoft Office.exe  Windows Media Player.zip.exe  Support Tools.exe  WindowsUpdate.pif  Cain.pif  MSDN.ZIP.pif  autoexec.bat  findpass.exe  client.exe  i386.exe  winhlp32.exe  xcopy.exe  mmc.exe  


Detection


Detection in F-Secure Anti-Virus was published on April 5th, 2004 with update:

Detection Type: PC
Database: 2004-04-05_01



Description Details: Ero Carrera


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More