W32/Lovgate-E

Read instructions on how to remove the W32/Lovgate-E worm.

W32/Lovgate-E is a mass mailing worm and a backdoor Trojan. This variant of the Lovgate family will only work on Microsoft NT/2000/XP platforms.

W32/Lovgate-E has two mass mailing routines. The first sends a message with the following characteristics to email addresses retrieved from unread messages in the infected user's Outlook folders:

Subject line: Re: <subject of unread message>
Message text:
<Original unread message>

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

Attached file: one of the following

Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

The second mass mailing routine sends emails to addresses found in files with an extension starting with the characters HT, for example HTM and HTML files. These emails will have a combination of subject line, message text and attached filename taken from the following lists:

Subject lines:

See the attachement
Hi
Hi Dear
Attached one gift for u..
Help
Great
for you
Last Update
Let's Laugh
Reply to this!

Message texts:

Send me your comments...
Patrick Ewing will give Knick fans something to cheer about Friday night.

Adult content!!! Use with parental advisory.

It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellwger), who shoots her unfaithful lover (West).

This message was created automatically by mail delivery software (Exim).

Send reply if you want to be offical beta tester.

Tiger Woods had two eagles Friday during his victory over Stephen Leaney.(AP Photo/Denis Poroy)

This is the last cumulative update.

Copy of your message,including all the headers is attached.

For further assistance, please contact!

Attached file:

About_Me.txt.pif
Doom3 Preview!!!.exe
driver.exe
enjoy.exe
images.pif
interesting.exe
Pics.ZIP.scr
README.TXT.pif
Source.exe
YOU_are_FAT!.TXT.pif

W32/Lovgate-E copies itself to the Windows system folder with the following filenames:

iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe

Additionally three identical DLL files (ily668.dll, task688.dll and reg678.dll) are copied to the Windows system folder. These DLL files are a component of the backdoor property of this worm and are detected as W32/Lovgate-E.

The following registry entries will be created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program in Windows = <System Folder>\iexplore.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator = Rundll32.exe reg678.dll ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wingate initialise = <System Folder>\wingate.exe -remoteshell

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp = <System Folder>\Winhelp.exe

HKCR\txtfile\shell\open\command\Default = winrpc.exe %1

The last of these registry entries will cause the worm to be run every time a text file is opened.

The worm spreads across the local area network by copying itself to network shares using the following filenames:

100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mefia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe

W32/Lovgate-E will attempt to gain Administrator access to machines on the local area network by testing the administrator password against a list of the most obvious and common passwords. If administrator access is achieved then the worm will be copied to the system folder with the filename NetServices.exe and will be started as a service with the name "Microsoft Network Firewall Services".

On the local machine the worm will attempt to install itself as a service with the name "Windows Management Instrumentation Driver Extension". Also the DLL dropped by the worm will be used to run a service named "NetMeeting Remote Desktop (RPC) Sharing".