W32/Lovgate-Z is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks.
W32/Lovgate-Z copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.
The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which are backdoor components of the worm and provide unauthorised remote access to the computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may have a RAR extension. The name of the packed file is chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the archived file is either PassWord, email or book with an extension of EXE, SCR, PIF or COM.
In order to run automatically when the user logs on to the computer W32/Lovgate-Z creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Program In Windows=
<Windows system>\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp=
<Windows system>\WinHelp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra=
<Windows>\SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run=
RAVMOND.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Protected Storage=
RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VFW Encoder/Decoder Settings=RUNDLL32.EXE MSSIGN30.DLL ondll_reg
W32/Lovgate-Z changes the entry in the registry at the following location to
run itself before files with an EXE extension:
HKCR\exefile\shell\open\command
W32/Lovgate-Z may also change WIN.INI to run itself on systen restart.
In addition W32/Lovgate-Z copies itself to the file command.exe in the root folder and creates the file autorun.inf there containing an entry to run the dropped file upon system startup.
W32/Lovgate-Z spreads by email. Email addresses are harvested from WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.
Email have the following characteristics:
Subject line:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text:
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
Attached file (extension ZIP, EXE, PIF or SCR):
document
readme
doc
text
file
data
test
message
body
The worm attempts to reply to emails found in the user's inbox using the following filenames as attachments:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
W32/Lovgate-Z copies itself to the shared folder of an existing KaZaA installation with various filenames.
W32/Lovgate-Z also enables sharing of the Windows media folder and copies itself there using various filenames.
The worm attempts to spread by copying itself to mounted shares using one of the following filenames:
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe.
W32/Lovgate-Z also attempts to spread via weakly protected remote shares by connecting to the admin$ share using a password from an internal list and copying itself as the file NetManager.exe to the system folder on the share.
The worm tries passwords from the following list:
Guest, Administrator, zxcv, yxcv, xxx, xp, win, test123, test, temp123, temp,
sybase, super, sex, secret, pwd, pw123, pw, pc, Password, owner, oracle,
mypc123, mypc, mypass123, mypass, love, login, Login, Internet, home,
godblessyou, god, enable, database, computer, alpha, admin123, Admin, abcd,
aaa, a, 88888888, 2600, 2003, 2002, 123asd, 123abc, 123456789, 1234567, 123123,
121212, 12, 11111111, 110, 007, 00000000, 000000, 0, pass, 54321, 12345,
password, passwd, server, sql, !@#$%^&*, !@#$%^&, !@#$%^, !@#$%, asdfgh, asdf,
!@#$, 1234, 111, 1, root, abc123, 12345678, abcdefg, abcdef, 888888, 666666,
111111, admin, administrator, guest, 654321, 123456, 321, 123
After successfully copying the file W32/Lovgate-Z attempts to run it as the service "Windows managment network service extension" on the remote computer.
W32/Lovgate-Z starts a logging thread that listens on port 6000, sends a notification email to an external address and logs received data to the file C:\Netlog.txt.
W32/Lovgate-Z attempts to terminate processes containing the following strings:
rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Duba
KAV
KV
W32/Lovgate-Z also overwrites EXE files on the system with copies of itself. The original files are saved with a ZMX extension.