W32/Lovelet-AD

Category:	Viruses and Spyware	Protection available since:	29 Apr 2007 00:00:00 (GMT)
Type:	Win32 worm	Last Updated:	20 Oct 2010 18:48:05 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Lovelet-AD spreads by:

- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Lovelet-AD copies itself to:

\Microsoft Word Document.scr
\autorun.inf
\New Microsoft Word Document.scr
\Programs\Microsoft Word Document.scr

as well as numerous locations (more than 1000 files) and sub folders in:

\Microsoft\CD Burning\
\
\
\
\
\
\
\Prefetch\
\gorgle\

The following registry entries are created to run W32/Lovelet-AD on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
\mskernel.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
WinRun
\AutoRun.ini

as well as the following modification of existing entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe \services.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\gorgle\csrss.exe

The following registry entries are created to make removal of W32/Lovelet-AD difficult for the user:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entries are set or modified, so that W32/Lovelet-AD is run when files with extensions of PIF are opened/launched:

HKCR\AVIFile\shell\open\command
(default)
\setup\mskernel.exe %1

HKCR\piffile\shell\open\command
(default)
\setup\mskernel.exe %1

Examples of W32/Lovelet-AD include:

Example 1

File Information

Size: 220K
SHA-1: 6ed68a72f52f75046b53d1fe4e013fecd3130adf
MD5: 4276fec3fc582f27ffbd56f67bbcab54
CRC-32: 1a7e38c6
File type: application/x-ms-dos-executable
First seen: 2010-10-19

Runtime Analysis

Copies Itself To

C:\WINDOWS\agila.scr

Dropped Files

C:\WINDOWS\services.exe
C:\Documents and Settings\Default User\Templates\winword.scr
Size
220K
SHA-1
7cad4112d748899ae35cd53f079ed3fd7f86e3e0
MD5
65e5b2ed3892e025f75748724e7ee9ae
CRC-32
fde0118b
File type
application/octet-stream
First seen
2010-10-18
c:\Documents and Settings\test user\Templates\winword.scr
Size
220K
SHA-1
7cad4112d748899ae35cd53f079ed3fd7f86e3e0
MD5
65e5b2ed3892e025f75748724e7ee9ae
CRC-32
fde0118b
File type
application/octet-stream
First seen
2010-10-18
C:\Documents and Settings\Default User\Templates\winword2.scr
Size
217K
SHA-1
11ea2e15dc22f574cf068a11d8f2dbd32fec9f32
MD5
bf37d9c2d165c724c02d35fa3dd0e680
CRC-32
14335912
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\system32\mskernel.exe
c:\Documents and Settings\test user\Local Settings\Temp\~DF73B2.tmp
Size
16K
SHA-1
1ea94a4e701adac37248ef2cb10c556583399ce1
MD5
fac2d93398a8d3d575b30511694d5dbc
CRC-32
f8624a7d
File type
application/octet-stream
First seen
2010-10-18
C:\Perl\site\lib\Tk\icon.exe
Size
217K
SHA-1
30d93d6e57fb68120d7b4d45341cfb87cf42b070
MD5
f72b8c7bc71dd4edf72f492769468c8f
CRC-32
c83e453a
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\AutoRun.ini
Size
215K
SHA-1
63cb524e97f4c5456ff4ba010ba95b5ee5793081
MD5
d8d9834a53a5c78654fb90e3601c38ec
CRC-32
953c5448
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\lsass.exe
C:\WINDOWS\email32.vbs
C:\sample.scr
Size
220K
SHA-1
7cad4112d748899ae35cd53f079ed3fd7f86e3e0
MD5
65e5b2ed3892e025f75748724e7ee9ae
CRC-32
fde0118b
File type
application/octet-stream
First seen
2010-10-18
c:\Documents and Settings\test user\My Documents\My Pictures\mskernel.exe
C:\Perl\site\lib\Tk\anim.exe
Size
218K
SHA-1
0dc1925d18759592b325a355cf9e267d49edaf01
MD5
ebdb005b9ef27abd4948bd1cd6b78a44
CRC-32
ec9ceb2d
File type
application/octet-stream
First seen
2010-10-18
c:\Documents and Settings\test user\Templates\winword2.scr
Size
217K
SHA-1
11ea2e15dc22f574cf068a11d8f2dbd32fec9f32
MD5
bf37d9c2d165c724c02d35fa3dd0e680
CRC-32
14335912
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\setup\mskernel.exe
C:\WINDOWS\gorgle\csrss.exe

Registry Keys Created

HKCR\scrfile
NeverShowExt
HKCR\exefile
NeverShowExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010102120101022
CachePrefix
:2010102120101022:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
(Default)
C:\WINDOWS\system32\mskernel.exe
HKCR\batfile
NeverShowExt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
\WINDOWS\lsass.exe
HKCR\comfile
NeverShowExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001
HKLM\SOFTWARE\Microsoft\Windows\System\Malicious
Sams32
1111

Registry Keys Modified

HKCR\inifile\shell\open\command
(Default)
"%1" %*
HKCR\comfile\DefaultIcon
(Default)
shimgvw.dll,3
HKCR\scrfile
(Default)
Microsoft Word Document
HKCR\AVIFile\shell\open\command
(Default)
"C:\WINDOWS\setup\mskernel.exe" %1
HKCR\batfile\shell\edit\command
(Default)
shutdown -s -f -t 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
c:\windows\system32\userinit.exe,C:\WINDOWS\gorgle\csrss.exe,
HKCR\comfile
(Default)
JPEG Image
HKCR\piffile\shell\open\command
(Default)
"C:\WINDOWS\setup\mskernel.exe" %1

Processes Created

c:\program files\windows nt\accessories\wordpad.exe

Example 2

File Information

Size: 217K
SHA-1: 994a29b9e078282c346debf312efcb0305032a24
MD5: bd782ffa3d061e091e860002ef798984
CRC-32: 9085ac10
File type: application/x-ms-dos-executable
First seen: 2010-10-19

Runtime Analysis

Copies Itself To

C:\WINDOWS\agila.scr

Dropped Files

C:\WINDOWS\gorgle\csrss.exe
c:\Documents and Settings\test user\Local Settings\Temp\~DFD3C5.tmp
Size
16K
SHA-1
1ea94a4e701adac37248ef2cb10c556583399ce1
MD5
fac2d93398a8d3d575b30511694d5dbc
CRC-32
f8624a7d
File type
application/octet-stream
First seen
2010-10-18
C:\Documents and Settings\Default User\Templates\winword2.scr
Size
217K
SHA-1
11ea2e15dc22f574cf068a11d8f2dbd32fec9f32
MD5
bf37d9c2d165c724c02d35fa3dd0e680
CRC-32
14335912
File type
application/octet-stream
First seen
2010-10-18
C:\sample.scr
Size
217K
SHA-1
11ea2e15dc22f574cf068a11d8f2dbd32fec9f32
MD5
bf37d9c2d165c724c02d35fa3dd0e680
CRC-32
14335912
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\setup\mskernel.exe
C:\WINDOWS\system32\mskernel.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\Default User\Templates\winword.scr
Size
220K
SHA-1
7cad4112d748899ae35cd53f079ed3fd7f86e3e0
MD5
65e5b2ed3892e025f75748724e7ee9ae
CRC-32
fde0118b
File type
application/octet-stream
First seen
2010-10-18
c:\Documents and Settings\test user\Templates\winword.scr
Size
220K
SHA-1
7cad4112d748899ae35cd53f079ed3fd7f86e3e0
MD5
65e5b2ed3892e025f75748724e7ee9ae
CRC-32
fde0118b
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\AutoRun.ini
Size
215K
SHA-1
63cb524e97f4c5456ff4ba010ba95b5ee5793081
MD5
d8d9834a53a5c78654fb90e3601c38ec
CRC-32
953c5448
File type
application/octet-stream
First seen
2010-10-18
c:\Documents and Settings\test user\My Documents\My Pictures\mskernel.exe
c:\Documents and Settings\test user\Templates\winword2.scr
Size
217K
SHA-1
11ea2e15dc22f574cf068a11d8f2dbd32fec9f32
MD5
bf37d9c2d165c724c02d35fa3dd0e680
CRC-32
14335912
File type
application/octet-stream
First seen
2010-10-18
C:\WINDOWS\email32.vbs
C:\WINDOWS\lsass.exe

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
(Default)
C:\WINDOWS\system32\mskernel.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010102020101021
CachePrefix
:2010102020101021:
HKLM\SOFTWARE\Microsoft\Windows\System\Malicious
Sams32
0211
HKCR\batfile
NeverShowExt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
\WINDOWS\lsass.exe
HKCR\scrfile
NeverShowExt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
0x00000001
HKCR\exefile
NeverShowExt
HKCR\comfile
NeverShowExt

Registry Keys Modified

HKCR\comfile
(Default)
JPEG Image
HKCR\batfile\shell\edit\command
(Default)
shutdown -s -f -t 0
HKCR\AVIFile\shell\open\command
(Default)
"C:\WINDOWS\setup\mskernel.exe" %1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
c:\windows\system32\userinit.exe,C:\WINDOWS\gorgle\csrss.exe,
HKCR\scrfile
(Default)
Microsoft Word Document
HKCR\inifile\shell\open\command
(Default)
"%1" %*
HKCR\comfile\DefaultIcon
(Default)
shimgvw.dll,3
HKCR\piffile\shell\open\command
(Default)
"C:\WINDOWS\setup\mskernel.exe" %1

Processes Created

c:\program files\windows nt\accessories\wordpad.exe
c:\truecrypt\truecrypt.exe
c:\windows\system32\cmd.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\ime\pintlgnt\imscinst.exe
c:\windows\system32\ime\tintlgnt\tintsetp.exe
c:\windows\system32\sc.exe

Example 3

File Information

Size: 456K
SHA-1: 121f902e76270dd38be6137e4cc347aeaa9daea8
MD5: 0aab7a64d8d124072318ff978fbfc49a
CRC-32: 7a48581b
File type: application/x-ms-dos-executable
First seen: 2010-10-20

Try Sophos products for free
Download now

W32/Lovelet-AD

Example 1

File Information

Runtime Analysis

Copies Itself To

Dropped Files

Registry Keys Created

Registry Keys Modified

Processes Created

Example 2

File Information

Runtime Analysis

Copies Itself To

Dropped Files

Registry Keys Created

Registry Keys Modified

Processes Created

Example 3

File Information

Free Mac Anti-Virus

Popular topics