Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Sent by email., Backdoor component.
The worm has its own SMTP engine and sends itself to all email addresses it can find on the infected computer. It also spreads over the network drives of the infected system.
The backdoor component of Worm/Lovegate saves keylogging information and passwords into the following files:
and sends this information to the email addresses:
'email@example.com' and 'firstname.lastname@example.org'.
Over port 10168 a user, using the same Client program, can make various changes into the infected system.
Do not release
I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
Send me your comments...
Test this ROM! IT ROCKS!.
Adult content!!! Use with parental advisory.
Test it 30 days for free.
I'm going crazy... please try to find the bug!.
Send reply if you want to be official beta tester.
This is the pack ;)
This is the last cumulative update.
I think all will work fine.
Check our list and mail your requests!
The most important difference between version B and version A is the absence of the reply to Inbox messages.
Without this function, the spreading relies on collecting email addresses from networks and *.ht* files.
Apart from the massmailer function, this worm can spread through Windows components and steal passwords. It is packed with ASP and creates the following files:
It tests the following user names and passwords, if the netresources are protected:
"" (empty password)
If access succeeds, the worm is copied as "stg.exe" in Windows "System32" archive and it tries to activate it.
The worm copies itself in Windows system directory, with the following names:
and makes the following .dll files in Windows System:
Worm/Lovegate makes the registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe""WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell""Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg [HKEY_CLASSES_ROOT\txtfile\shell\open\command]@="winrpc.exe %1"
If it has keylogging functions and saves information, it collects it in the following files:
The worm is activated every time a text file is double-clicked.
This version also creates the keyloger DLL: %WinsysDIR%\win32vxd.dll
Description inserted by Crony Walker on Tuesday, June 15, 2004