Virus:Worm/Lovgate.AU.2
Date discovered:01/07/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:143.360 Bytes
MD5 checksum:ebb2e4a8c367e6d0967ac89ef89580cd
VDF version:6.26.00.12

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Lovgate.X@mm
   •  Mcafee: W32/Lovgate.ac@MM
   •  Kaspersky: Email-Worm.Win32.LovGate.ad
   •  Sophos: W32/Lovgate-F
   •  Grisoft: I-Worm/Lovgate
   •  Bitdefender: Win32.LovGate.AC@mm


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

 Files It copies itself to the following locations:
   • %SYSDIR%\realsched.exe
   • %SYSDIR%\vptray.exe
   • %SYSDIR%\hxdef.exe
   • %SYSDIR%\RAVMOD.exe
   • %SYSDIR%\IEXPLORE.EXE
   • %SYSDIR%\kernel66.dll
   • %WINDIR%\SYSTRA.EXE
   • %drive%\COMMAND.EXE



The following files are created:

%drive%\AUTORUN.INF This is a non malicious text file with the following content:
   • [AUTORUN]
     Open="%drive%\COMMAND.EXE" /StartExplorer

%malware execution directory%\results.txt
%SYSDIR%\ODBC16.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Lovgate.W.2

%SYSDIR%\msjdbc11.dll Detected as: Worm/Lovgate.W.2

%SYSDIR%\LMMIB20.DLL Detected as: Worm/Lovgate.W.2

%SYSDIR%\MSSIGN30.DLL Detected as: Worm/Lovgate.W.2

%SYSDIR%\NetMeeting.exe Detected as: Worm/Lovgate.W.1

%WINDIR%\suchost.exe Detected as: Worm/Lovgate.AU.1




It tries to execute the following file:

– Filename:
   • rundll.exe
using the following command line arguments: %malware dll% ondll_reg


– Filename:
   • rundll.exe
using the following command line arguments: %malware dll% ondll_install

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WinHelp"="%SYSDIR%\realsched.exe"
   • "Hardware Profile"="%SYSDIR%\hxdef.exe"
   • "VFW Encoder/Decoder Settings"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
   • "Microsoft NetMeeting Associates, Inc."="NetMeeting.exe"
   • "Program In Windows"="%SYSDIR%\IEXPLORE.EXE"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices]
   • "SystemTra"="%WINDIR%\SysTra.EXE"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\_reg]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="Rundll32.exe msjdbc11.dll ondll_server"
   • "DisplayName"="_reg"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\_reg\Security]
   • "Security"=%hex values%



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • "run"="RAVMOND.exe"

– [HKCR\txtfile\shell\open\command]
   • @="vptray.exe %1"

 File infection The following file is infected:

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • ERROR
   • hello
   • hi
   • Mail Delivery System
   • Mail TRansaction Failed
   • Server Report
   • Status
   • TEST

In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.


Body:
–  In some cases it may be empty.
–  In some cases it may contain random characters.

 
The body of the email is one of the lines:
   • Mail failed. For further assistance, please contact!
   • The message contains Unicode characters and has been sent as a binary attachment.
   • It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
   • pass


Attachment:

   • body
   • data
   • doc
   • document
   • file
   • message
   • readme
   • test
   • text
   • %random character string%

   • bat
   • cmd
   • exe
   • pif
   • scr
   • zip
   •

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .htm
   • .sht
   • .php
   • .asp
   • .dbx
   • .tbb
   • .adb
   • .wab


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • accoun; certific; listserv; ntivi; support; icrosoft; the.bat;
      gold-certs; feste; submit; service; privacy; somebody; contact;
      rating; someone; anyone; nothing; nobody; noone; webmaster;
      postmaster; samples; be_loyal:; mozilla; utgers.ed; tanford.e;
      acketst; secur; isc.o; isi.e; ripe.; arin.; sendmail; rfc-ed; usenet;
      linux; kernel; google; ibm.com; mit.e; berkeley; ruslis; nodomai;
      mydomai; example; inpris; borlan; sopho; panda; hotmail; icrosof;
      -._!@; abuse


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • \%computers in current domain%\%all shared folders%\WinRAR.exe
   • \%computers in current domain%\%all shared folders%\Internet Explorer.bat
   • \%computers in current domain%\%all shared folders%\Documents and Settings.txt.exe
   • \%computers in current domain%\%all shared folders%\Microsoft Office.exe
   • \%computers in current domain%\%all shared folders%\Windows Media Player.zip.exe
   • \%computers in current domain%\%all shared folders%\Support Tools.exe
   • \%computers in current domain%\%all shared folders%\WindowsUpdate.pif
   • \%computers in current domain%\%all shared folders%\Cain.pif
   • \%computers in current domain%\%all shared folders%\MSDN.ZIP.pif
   • \%computers in current domain%\%all shared folders%\autoexec.bat
   • \%computers in current domain%\%all shared folders%\findpass.exe
   • \%computers in current domain%\%all shared folders%\client.exe
   • \%computers in current domain%\%all shared folders%\i386.exe
   • \%computers in current domain%\%all shared folders%\winhlp32.exe
   • \%computers in current domain%\%all shared folders%\xcopy.exe
   • \%computers in current domain%\%all shared folders%\mmc.exe


IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 Process termination List of processes that are terminated:
   • KV; KAV; Duba; NAV; kill; RavMon.exe; Rfw.exe; Gate; McAfee; Symantec;
      SkyNet; rising


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ivanes on Friday, June 2, 2006
Description updated by Andrei Ivanes on Friday, June 2, 2006

Back . . . .