high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Read instructions on how to remove the W32/Lovgate-D worm.
More Information
W32/Lovgate-D is a worm and backdoor Trojan. The worm spreads across the local network by copying itself into shared folders using the following filenames:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-D also attempts to spread via email by sending itself to email addresses collected from *.ht* files. Emails sent to these addresses will have the following characteristics:
Subject line: Documents
Message body: Send me your comments...
Attached file: Docs.exe
Subject line: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe
Subject line: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe
Subject line: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe
Subject line: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe
Subject line: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe
Subject line: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe
Subject line: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe
Subject line: The patch
Message body: I think all will work fine.
Attached file: Patch.exe
Subject line: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe
W32/Lovgate-D copies itself into the Windows system folder as rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "<Windows system folder>\syshelp.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize
= "<Windows system folder>\WinGate.exe -remoteshell"
HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"
W32/Lovgate-D is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send a notification email message to the attacker.
|
