Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
I-Worm.LovGate.t [Kaspersky], W32/Lovgate.s@MM [McAfee]
Spreads by email and shared networks. Backdoor component.
The worm replies to emails from Microsoft Outlook Mailbox. The email sent by the worm looks like this:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE
account now! <
the hardcore game-.pif
Sex in Office.rm.scr
How to Crack all gamez.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The worm looks for shared KaZaA directory with a registry entry and copies itself in it as:
%random file name%
with the extension:
It copies itself in all shared network directories as one of the following:
CD-Cover Editor 2.6.exe
Zealot All Video Splitter 1.1.9.zip.exe
Backup Made Simple 5.1.58 crack.exe
AMD 2600 test.zip.exe
Norton Antivirus crack.exe
It uses the following passwords, for accessing local networks of other computers and for logging as administrator:
If access succeeds, the worm copies itself as:
\\%network Computername%\admin$\systemdir\NetManager32.exe and opens the file "Management Service Extension".
When activated, Worm/Lovgate.T is copied as read-only, hidden, system files:
It creates AUTORUN.INF in start directory on all drives, except for the CD-ROM drive and copies itself as COMMAND.EXE in these directories.
Then, it creates a .zip file (%filename%.%ext%) in start directory of all drives, except for drives A: and B:. The %filename% can be:
and the %ext%:
This .zip file contains a worm copy, that can have the following names:
Then, it creates the following files:
%System%\ODBC16.dll (53,760 Bytes)
%System%\msjdbc11.dll (53,760 Bytes)
%System%\MSSIGN30.DLL (53,760 Bytes)
These are all backdoor components of the worm.
It changes the registry entry:
into: %SystemDIR%\Media32.exe "%1" %*
Thus, the worm is activated every time an .exe file is opened.
It also terminates all processes containing the following strings:
It makes the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Program in Windows"="%SystemDIR%\iexplore.exe""VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg""WinHelp"="%SystemDIR%\WinHelp.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run"="RAVMOND.exe" (for autostart). HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "Systemtra"="%WinDIR%\Systra.exe" (for autostart, as service.)
Eventually, the following entry is made:
Then it performs a backdoor routine on port 6000. The routine steals information from a compressed system and saves it in C:\Netlog.txt. Then, the worm sends this information to an email address.
Description inserted by Crony Walker on Tuesday, June 15, 2004