high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 25 March 2004 13:14:50 (GMT) |
| Last updated | 16 September 2004 10:01:08 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Lovgate-X is a worm with the backdoor functionality that spreads via email, network shares with weak passwords and filesharing networks.
W32/Lovgate-X may arrive in the email with the following characteristics:
Subject line: chosen from:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text: chosen from:
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
Attachment name: chosen from:
document
readme
doc
text
file
data
test
message
body
followed by .bat, .cmd, .exe, .pif or .scr
When executed W32/Lovgate-X creates the service "NetMeeting Remote Sharing," copies itself to the Windows folder with the filename Systra.exe and to the Windows system folder with the filenames iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.
W32/Lovgate-X extracts the backdoor components to the Windows system folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as W32/Lovgate-W).
W32/Lovgate-X attempts to terminate a number of processes with names that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
W32/Lovgate-X copies itself to the share folders of filesharing networks with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
W32/Lovgate-X copies itself to the share folder of the KaZaa network with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
<any name>
follwed by .bat, .exe, .pif or .scr W32/Lovgate-X is a worm with the backdoor functionality that spreads via email, network shares with weak passwords and filesharing networks.
W32/Lovgate-X may arrive in the email with the following characteristics:
Subject line: chosen from:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text: chosen from:
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
Attachment name: chosen from:
document
readme
doc
text
file
data
test
message
body
followed by .bat, .cmd, .exe, .pif or .scr
When executed W32/Lovgate-X creates the service "NetMeeting Remote Sharing," copies itself to the Windows folder with the filename Systra.exe and to the Windows system folder with the filenames iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.
W32/Lovgate-X extracts the backdoor components to the Windows system folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as W32/Lovgate-W).
In order to run automatically when Windows starts up W32/Lovgate-X creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra
= C:\WINDOWS\SysTra.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program In Windows
= "C:\\WINDOWS\\System32\\IEXPLORE.EXE"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected Storage
= "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\SystemTra
= "C:\\WINDOWS\\SysTra.EXE"
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
= "RAVMOND.exe"
HKCR\exefile\shell\open\command
= C:\WINDOWS\System\winexe.exe
W32/Lovgate-X may change the win.ini file by adding path to the Ravmond.exe to the 'run=' line.
W32/Lovgate-X attempts to terminate a number of processes with names that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
W32/Lovgate-X copies itself to the share folders of filesharing networks with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
W32/Lovgate-X copies itself to the share folder of the KaZaa network with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
<any name>
follwed by .bat, .exe, .pif or .scr
|
