W32/Lovgate-D

Category: Viruses and Spyware Protection available since:26 Feb 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:26 Feb 2003 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Lovgate-D is a worm and backdoor Trojan. The worm spreads across the local network by copying itself into shared folders using the following filenames:

billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe

W32/Lovgate-D also attempts to spread via email by sending itself to email addresses collected from *.ht* files. Emails sent to these addresses will have the following characteristics:

Subject line: Documents
Message body: Send me your comments...
Attached file: Docs.exe

Subject line: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe

Subject line: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe

Subject line: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe

Subject line: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe

Subject line: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe

Subject line: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe

Subject line: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe

Subject line: The patch
Message body: I think all will work fine.
Attached file: Patch.exe

Subject line: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe

W32/Lovgate-D copies itself into the Windows system folder as rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "<Windows system folder>\syshelp.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize
= "<Windows system folder>\WinGate.exe -remoteshell"

HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"

W32/Lovgate-D is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send a notification email message to the attacker.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy