high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 28 September 2003 09:46:46 (GMT) |
| Last updated | 8 July 2009 23:33:38 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Read instructions on how to remove the W32/Lovgate-E worm.
More Information
W32/Lovgate-E is a mass mailing worm and a backdoor Trojan. This variant of the
Lovgate family will only work on Microsoft NT/2000/XP platforms.
W32/Lovgate-E has two mass mailing routines. The first sends a message with the
following characteristics to email addresses retrieved from unread messages in
the infected user's Microsoft Outlook folders:
Subject line: Re: "<subject of unread message>"
Message text:
"<Original unread message>
If you can keep your head when all about you
Are losing theirs and blaming it on you:
If you can trust yourself when all men doubt you,
But make allowance for their doubting too:
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise:
... ... more look to the attachment."
the attached file is one of the following:
Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif
The second mass mailing routine sends emails to addresses found in files with
an extension starting with the characters HT, for example HTM and HTML files.
These emails will have a combination of subject line, message text and attached
filename taken from the following lists-
Subject lines:
"See the attachement"
"Hi"
"Hi Dear"
"Attached one gift for u.."
"Help"
"Great"
"for you"
"Last Update"
"Let's Laugh"
"Reply to this!"
"
Message texts:
Send me your comments...
Patrick Ewing will give Knick fans something to cheer about Friday night.
Adult content!!! Use with parental advisory.
It's the long-awaited film version of the Broadway hit. Set in the roaring
20's, this is the story of Chicago chorus girl Roxie Hart (Zellwger), who
shoots her unfaithful lover (West).
This message was created automatically by mail delivery software (Exim).
Send reply if you want to be offical beta tester.
Tiger Woods had two eagles Friday during his victory over Stephen Leaney.(AP
Photo/Denis Poroy)
This is the last cumulative update.
Copy of your message,including all the headers is attached.
For further assistance, please contact!
Attached file:
About_Me.txt.pif
Doom3 Preview!!!.exe
driver.exe
enjoy.exe
images.pif
interesting.exe
Pics.ZIP.scr
README.TXT.pif
Source.exe
YOU_are_FAT!.TXT.pif
W32/Lovgate-E copies itself to the Windows system folder with the following
filenames:
iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe
Additionally three identical DLL files (ily668.dll, task688.dll and reg678.dll)
are copied to the Windows system folder. These DLL files are a component of the
backdoor property of this worm and are detected as W32/Lovgate-E.
The following registry entries will be created:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Program in Windows
= <System Folder>\iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Remote Procedure Call Locator
= Rundll32.exe reg678.dll ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wingate initialise
= <System Folder>\wingate.exe -remoteshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp
= <System Folder>\Winhelp.exe
HKCR\txtfile\shell\open\command\Default = winrpc.exe %1
The last of these registry entries will cause the worm to be run every time a
text file is opened.
The worm spreads across the local area network by copying itself to network
shares using the following filenames:
100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mefia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
W32/Lovgate-E will attempt to gain Administrator access to computers on the
local area network by testing the administrator password against a list of the
most obvious and common passwords. If administrator access is achieved then the
worm will be copied to the Windows system folder with the filename
NetServices.exe and will be started as a service with the name "Microsoft
Network Firewall Services".
On the local computer the worm will attempt to install itself as a service with
the name "Windows Management Instrumentation Driver Extension". Also the DLL
dropped by the worm will be used to run a service named "NetMeeting Remote
Desktop (RPC) Sharing".
|
