high
Summary
Summary
Action- More Information
| Included in our products from | April 2003 (3.68) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Read instructions on how to remove the W32/Lovgate-A worm.
More Information
W32/Lovgate-A is a worm and backdoor Trojan. The worm spreads across the local network by copying itself into folders with the following names:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-A also attempts to spread via email by sending itself to email addresses collected from *.ht* files. Emails sent to these addresses will have the following characteristics:
Subject: Documents
Message body: Send me your comments...
Attached file: Docs.exe
Subject: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe
Subject: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe
Subject: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe
Subject: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe
Subject: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe
Subject: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe
Subject: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe
Subject: The patch
Message body: I think all will work fine.
Attached file: Patch.exe
Subject: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe
The worm also attempts to reply to emails found in the user's inbox.
The worm uses the following attachment names for these emails:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-A copies itself into the Windows system folder as rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "<Windows system folder>\syshelp.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize = "<Windows system folder>\WinGate.exe -remoteshell"
HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"
On Windows NT the worm drops the files ily.dll, task.dll, reg.dll and win32vxd.dll into the Windows system folder. These files are also detected as W32/Lovgate-A.
W32/Lovgate-A is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send notification email messages to the attacker.
|
