W32/Lovgate-AD

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp=C:\WINDOWS\System32\TkBellExe.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile=C:\WINDOWS\System32\hxdef.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder\Decoder Settings=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft NetMeeting Associates, Inc.=NetMeeting.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program In Windows=C:\WINDOWS\System32\IEXPLORE.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protected Storage=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shell Extension=C:\WINDOWS\System32\spollsv.exe

and delete them if they exist.

Locate the HKEY_CLASSES_ROOT entry:

HKCR\txtfile\Shell\open\command\@=Update_OB.exe %1

and delete it if it exists.

Close the registry editor.

W32/Lovgate-AD is a mass mailing, network and peer-to-peer worm. This worm can terminate processes, drop files and create the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp=C:\WINDOWS\System32\TkBellExe.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile=C:\WINDOWS\System32\hxdef.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder\Decoder Settings=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft NetMeeting Associates, Inc.=NetMeeting.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program In Windows=C:\WINDOWS\System32\IEXPLORE.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protected Storage=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shell Extension=C:\WINDOWS\System32\spollsv.exe

W32/Lovgate-AD takes advantage of the RPC buffer overflow exploit to gain access to unpatched computers as well as attempting to copy itself into remote network shares with weak or no passwords. W32/Lovgate-AD is a mass mailing, network and peer-to-peer (P2P) worm. It will create multiple copies of itself in various locations and attempt to autostart copies of itself. It may also replace copies of EXE files. The replaced copy of the exe file will be renamed with a ZMX extension.

When executed, it will first attempt to terminate various processes that might interfere with the working of the worm. These include processes which containing the following strings:

"KV"
"KAV"
"Duba"
"NAV"
"kill"
"RavMon.exe" (Other version of Lovgate)
"Rfw.exe"
"Gate"
"McAfee"
"Symantec"
"SkyNet" (Other copies of netsky)
"rising"

It will then copy itself to:

/command.exe
/windows/system32/TkBellExe.exe
/windows/system32/Update_OB.exe
/windows/system32/hxdef.exe
/windows/system32/iexplore.exe
/windows/system32/kernel66.dll (hidden)
/windows/system32/ravmond.exe
/windows/systra.exe

The worm may also drop one of the files MSJDBC11.DLL, MSSIGN30.DLL or ODBC16.DLL which provides unauthorised remote access to the computer over a network.

In addition to the above location, it may also copy itself to random locations on the user's computer with various names such as:

"mmc.exe"
"xcopy.exe"
"winhlp32.exe"
"i386.exe"
"client.exe"
"findpass.exe"
"autoexec.bat"
"MSDN.ZIP.pif"
"Cain.pif"
"WindowsUpdate.pif"
"Support Tools.exe"
"Windows Media Player.zip.exe"
"Microsoft Office.exe"
"Documents and Settings.txt.exe"
"Internet Explorer.bat"
"WinRAR.exe"

It may also drop zip files (with ZIP or RAR extension) which contain an uncompressed copy of the worm.

In order to run automatically when Windows starts up, the worm creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp=C:\WINDOWS\System32\TkBellExe.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile=C:\WINDOWS\System32\hxdef.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder\Decoder Settings=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft NetMeeting Associates, Inc.=NetMeeting.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program In Windows=C:\WINDOWS\System32\IEXPLORE.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protected Storage=RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shell Extension=C:\WINDOWS\System32\spollsv.exe

The worm will also run itself as services, under the name "_reg" and "Windows Management Protocol v.0 (experimental)". It will also autostart itself by modifying win.ini settings.

The worm will then create the following registry key:

HKCR\txtfile\Shell\open\command\@=Update_OB.exe %1.

which will cause the worm to be executed when text files are opened in explorer.

W32/Lovgate-AD has numerous ways to spread itself, these include:

1. Spreading via network shares

It can create multiple copies of itself in various network shares by trying to login with $admin with a default set of passwords and then drops files in a similar way as it did on the local system.

The worm willl also attempt to connect to the service control manager on the remote computer and attempt to startup another service with a copy of the worm in \system32\netmanager.exe

W32/Lovgate-AD also enables sharing of the Windows Media folder and copies itself there using various filenames.

2. Spreading via Email

W32/Lovgate-AD spreads by email. The worm also attempts to reply to emails found in the user's inbox using the following filenames as attachments:

'the hardcore game-.pif'
'Sex in Office.rm.scr'
'Deutsch BloodPatch!.exe'
's3msong.MP3.pif'
'Me_nude.AVI.pif'
'How to Crack all gamez.exe'
'Macromedia Flash.scr'
'SETUP.EXE'
'Shakira.zip.exe'
'dreamweaver MX (crack).exe'
'StarWars2 - CloneAttack.rm.scr'
'Industry Giant II.exe'
'DSL Modem Uncapper.rar.exe'
'joke.pif'
'Britney spears nude.exe.txt.exe'
'I am For u.doc.exe'

With the body of the text appearing with:

'> Get your FREE %s now! <'
' If you can keep your head when all about you'
' Are losing theirs and blaming it on you;'
' If you can trust yourself when all men doubt you,'
' But make allowance for their doubting too;'
' If you can wait and not be tired by waiting,'
' Or, being lied about,don't deal in lies,'
' Or, being hated, don't give way to hating,'
' And yet don't look too good, nor talk too wise;'
' ... ... more look to the attachment. '

It also attempts to harvest Email addresses from WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. This worm will spoof the sender's email address. The body will be from one of the following texts:

"It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary attachment."
"Mail failed. For further assistance, please contact!"

3. Spreading via Kazaa remote share

It will copy itself to the kazaa share folder with a random name.

4. Spreading via RPC Buffer overflow exploit.

W32/Lovgate-AD will gain remote shell access using the RPC Buffer overflow exploit. It will open up an ftp server on the infected computer. Once gaining control of the remote computer, it will instruct the remote computer to download a copy of W32/Lovgate-AD with the name "hxdef.exe" from the infected host.