Sophos

W32/Lovelet-AD

Aliases
  • Win32/VB.BP
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Removable storage devices
  • Email attachments
  • Infected files
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 30 April 2007 07:17:08 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Lovelet-AD copies itself to:

<Desktop>\Microsoft Word Document.scr
<Root>\autorun.inf
<Start Menu>\New Microsoft Word Document.scr
<Start Menu>\Programs\Microsoft Word Document.scr

as well as numerous locations (more than 1000 files) and sub folders in:

<Application Data>\Microsoft\CD Burning\
<My Documents>\
<Profile>\
<Root>\
<Start Menu>\
<System>\
<Windows>\
<Windows>\Prefetch\
<Windows>\gorgle\

The following registry entries are created to run W32/Lovelet-AD on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<System>\mskernel.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
<Windows>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
WinRun
<Windows>\AutoRun.ini

as well as the following modification of existing entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\services.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\gorgle\csrss.exe

The following registry entries are created to make removal of W32/Lovelet-AD difficult for the user:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entries are set or modified, so that W32/Lovelet-AD is run when files with extensions of PIF are opened/launched:

HKCR\AVIFile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1

HKCR\piffile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer