This section helps you to understand how it behaves
W32/Lovgate-E is a mass mailing worm and a backdoor Trojan. This variant of
the Lovgate family will only work on Microsoft NT/2000/XP platforms.
W32/Lovgate-E has two mass mailing routines. The first sends a message with
the following characteristics to email addresses retrieved from unread
messages in the infected user's Outlook folders:
Subject line: Re: <subject of unread message>
Message text:
<Original unread message>
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
Attached file: one of the following
Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif
The second mass mailing routine sends emails to addresses found in files
with an extension starting with the characters HT, for example HTM and HTML
files. These emails will have a combination of subject line, message text
and attached filename taken from the following lists:
Subject lines:
See the attachement
Hi
Hi Dear
Attached one gift for u..
Help
Great
for you
Last Update
Let's Laugh
Reply to this!
Message texts:
Send me your comments...
Patrick Ewing will give Knick fans something to cheer about Friday night.
Adult content!!! Use with parental advisory.
It's the long-awaited film version of the Broadway hit. Set in the roaring
20's, this is the story of Chicago chorus girl Roxie Hart (Zellwger), who
shoots her unfaithful lover (West).
This message was created automatically by mail delivery software (Exim).
Send reply if you want to be offical beta tester.
Tiger Woods had two eagles Friday during his victory over Stephen Leaney.(AP
Photo/Denis Poroy)
This is the last cumulative update.
Copy of your message,including all the headers is attached.
For further assistance, please contact!
Attached file:
About_Me.txt.pif
Doom3 Preview!!!.exe
driver.exe
enjoy.exe
images.pif
interesting.exe
Pics.ZIP.scr
README.TXT.pif
Source.exe
YOU_are_FAT!.TXT.pif
W32/Lovgate-E copies itself to the Windows system folder with the following
filenames:
iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe
Additionally three identical DLL files (ily668.dll, task688.dll and
reg678.dll) are copied to the Windows system folder. These DLL files are a
component of the backdoor property of this worm and are detected as W32/Lovgate-E.
The following registry entries will be created:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program in Windows = <System Folder>\iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator = Rundll32.exe reg678.dll ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wingate initialise = <System Folder>\wingate.exe -remoteshell
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp = <System Folder>\Winhelp.exe
HKCR\txtfile\shell\open\command\Default = winrpc.exe %1
The last of these registry entries will cause the worm to be run every time
a text file is opened.
The worm spreads across the local area network by copying itself to network
shares using the following filenames:
100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mefia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
W32/Lovgate-E will attempt to gain Administrator access to machines on the
local area network by testing the administrator password against a list of
the most obvious and common passwords. If administrator access is achieved
then the worm will be copied to the system folder with the filename
NetServices.exe and will be started as a service with the name "Microsoft
Network Firewall Services".
On the local machine the worm will attempt to install itself as a service
with the name "Windows Management Instrumentation Driver Extension". Also
the DLL dropped by the worm will be used to run a service named "NetMeeting
Remote Desktop (RPC) Sharing".
Recovery
Summary Description Recovery
This section tells you how to remove the threat.
Read instructions on how to remove the W32/Lovgate-E worm.
