W32/Lovgate-A

Aliases	WORM_LOVGATE.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Read instructions on how to remove the W32/Lovgate-A worm.

More Information

Summary
Action
More Information

W32/Lovgate-A is a worm and backdoor Trojan. The worm spreads across the local network by copying itself into folders with the following names:
billgt.exe Card.EXE docs.exe fun.exe hamster.exe humor.exe images.exe joke.exe midsong.exe news_doc.exe pics.exe PsPGame.exe s3msong.exe searchURL.exe SETUP.EXE tamagotxi.exe

W32/Lovgate-A also attempts to spread via email by sending itself to email addresses collected from *.ht* files. Emails sent to these addresses will have the following characteristics:

Subject: Documents
Message body: Send me your comments...
Attached file: Docs.exe

Subject: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe

Subject: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe

Subject: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe

Subject: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe

Subject: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe

Subject: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe

Subject: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe

Subject: The patch
Message body: I think all will work fine.
Attached file: Patch.exe

Subject: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe

The worm also attempts to reply to emails found in the user's inbox.
The worm uses the following attachment names for these emails:
billgt.exe Card.EXE docs.exe fun.exe hamster.exe humor.exe images.exe joke.exe midsong.exe news_doc.exe pics.exe PsPGame.exe s3msong.exe searchURL.exe SETUP.EXE tamagotxi.exe

W32/Lovgate-A copies itself into the Windows system folder as rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp = "<Windows system folder>\syshelp.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize = "<Windows system folder>\WinGate.exe -remoteshell"

HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"

On Windows NT the worm drops the files ily.dll, task.dll, reg.dll and win32vxd.dll into the Windows system folder. These files are also detected as W32/Lovgate-A.

W32/Lovgate-A is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send notification email messages to the attacker.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Lovgate-A

Summary

Action

More Information