Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.LovGate.h, W32/Lovgate,W95/Lovgate.K@mm
Type:Worm 
Size:127.488 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads by email, and shared network resources. Backdoor component. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm replies to all unread messages from Microsoft Outlook or Outlook Express Inbox.
The reply email looks like this:

Subject: Re: Original Subjekt
Body: ====== Original Body ======
Attachment:
Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

The worm also sends emails to addresses found in files of type *.ht*. These emails look like this:

Subject:
Reply to this!
et's Laugh
Last Update
For you
Great
Help
Attached one Gift for u..
Hi Dear
Hi
See the attachement

Body:

For further assistance, please contact!

Copy of your message, including all the headers is attached.

This is the last cumulative update.

Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)

Send reply if you want to be official beta tester.

This message was created automatically by mail delivery software(Exim).

It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).

Adult content!!! Use with parental advisory.

Patrick Ewing will give Knick fans something to cheer about Friday night.

Send me your comments...

Attachment:
About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
nteresting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr

Technical DetailsWhen activated,Worm/Lovegate.K creates the following files:
C:\%WinDIR%\DRWTSN16.EXE (infected sector: 49,152 Bytes) C:\%WinDIR%\%SystemDIR%\IEXPLORE.EXE (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\RAVMOND.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\WinDriver.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\WinGate.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\kernel66.dll (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winexe.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winrpc.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winhelp.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\Task688.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\ily668.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\reg678.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\win32vxd.dll (BackDoor-AQJ: 32,768 Bytes)

It also creates in, C:\%WINDIR%\Temp, files with random names and the following extensions:
.rm.exe
.htm.exe
.dat.exe
.mp3.exe
.gif.exe
.jpg.exe
.doc.exe
.avi.exe

It changes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv ices\lanmanserver\Shares "GAME" = C:\WINNT\TEMP

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run" = RAVMOND.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run "Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run "Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run "WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Run "WinHelp" = C:\WINNT\System32\WinHelp.exe

HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = "winrpc.exe %1"

HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = C:\WINNT\System32\winexe.exe "%1" %*

Under Windows NT/2000, the worm is installed as the following two services:
"Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE) - this service was not installed in testing.
"Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

Other services are inserted for the backdoor component. Their names are:
ll_reg (set to run TASK688.dll)
NetMeeting Remote Desktop (RPC) Sharing (set to run TASK688.dll).

The worm infects PE files, in which it inserts an infected sector
(DTWTSN16.EXE)and a worm copy. So, in the end, the file has three parts:
INFECTED SECTOR | ORIGINAL PE | WORM COPY.
The infected files are up to 176,648 Bytes.

The worm also tries to access shared systems, using the following passwords:
(no password)

0

1

7

12

110

111

123

321

1234

2002

2003

2600

12345

54321

111111

121212

123123

123456

654321

666666

888888

1234567

11111111

12345678

88888888

123456789

!@#$

!@#$%

!@#$%^

!@#$%^&

!@#$%^&*

123abc

123asd

a

aaa

abc

abc123

abcd

abcdef

abcdefg

Admin

admin

admin123

administrator

alpha

asdf

asdfgh

computer

database

enable

god

godblessyou

guest

home

Internet

login

Login

love

mypass

mypass123

mypc

mypc123

oracle

owner

pass

passwd

Password

password

pc

pw

pw123

pwd

root

secret

server

sex

sql

super

sybase

temp

temp123

test

test123

win

xp

xxx

yxcv

zxcv

If it succeeds, the worm is copied in all accessed directories as:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe

Backdoor Component:
The following address is used for sending information through port 20168:
hello_dll@163.com
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .