Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Supnot.a, Supnot.A
Type:Worm 
Size:84,992 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email., Backdoor component. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm has its own SMTP engine and sends itself to all email addresses it can find on the infected computer. It also spreads over the network drives of the infected system.
The backdoor component of Worm/Lovegate saves keylogging information and passwords into the following files:
win32pwd.sys
win32add.sys
and sends this information to the email addresses:
'hello_dll@163.com' and 'hacker117@163.com'.

Over port 10168 a user, using the same Client program, can make various changes into the infected system.

Subject:
Documents
Roms
Pr0n!
Evaluation copy
Help
Beta
Do not release
Last Update
The patch
Cracks!

Body:
I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
Send me your comments...
Test this ROM! IT ROCKS!.
Adult content!!! Use with parental advisory.
Test it 30 days for free.
I'm going crazy... please try to find the bug!.
Send reply if you want to be official beta tester.
This is the pack ;)
This is the last cumulative update.
I think all will work fine.
Check our list and mail your requests!

Attachment:
Docs.exe
Roms.exe
Sex.exe
Setup.exe
Source.exe
_SetupB.exe
Pack.exe
LUPdate.exe
Patch.exe
CrkList.exe

Technical DetailsThe most important difference between version B and version A is the absence of the reply to Inbox messages.
Without this function, the spreading relies on collecting email addresses from networks and *.ht* files.
Apart from the massmailer function, this worm can spread through Windows components and steal passwords. It is packed with ASP and creates the following files:
fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe

It tests the following user names and passwords, if the netresources are protected:

User name:
guest
Administrator

Password:
"" (empty password)
"guest"
"123"
"321"
"123456"
"654321"
"administrator"
"admin"
"111111"
"666666"
"888888"
"abc"
"abcdef"
"abcdefg"
"12345678"
"abc123"

If access succeeds, the worm is copied as "stg.exe" in Windows "System32" archive and it tries to activate it.

The worm copies itself in Windows system directory, with the following names:
C:\%WinDIR%\%SystemDIR%\WinGate.exe
C:\%WinDIR%\%SystemDIR%\WinRpcsrc.exe
C:\%WinDIR%\%SystemDIR%\SysHelp.exe
C:\%WinDIR%\%SystemDIR%\WinPrc.exe
C:\%WinDIR%\%SystemDIR%\RpcSrv.exe

and makes the following .dll files in Windows System:
C:\%WinDIR%\%SystemDIR%\1.DLL
C:\%WinDIR%\%SystemDIR%\ily.dll
C:\%WinDIR%\%SystemDIR%\reg.dll
C:\%WinDIR%\%SystemDIR%\Task.dll
C:\%WinDIR%\%SystemDIR%\win32vxd.dll

Worm/Lovegate makes the registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe""WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell""Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg [HKEY_CLASSES_ROOT\txtfile\shell\open\command]@="winrpc.exe %1"

If it has keylogging functions and saves information, it collects it in the following files:
win32pwd.sys
win32add.sys

The worm is activated every time a text file is double-clicked.
This version also creates the keyloger DLL: %WinsysDIR%\win32vxd.dll
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .