Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.LovGate.t [Kaspersky], W32/Lovgate.s@MM [McAfee]
Type:Worm 
Size:98,304 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads by email and shared networks. Backdoor component. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm replies to emails from Microsoft Outlook Mailbox. The email sent by the worm looks like this:

Subject: Re:

To: @

Body:
'' wrote:
====
>
====
account auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE account now! <

Attachment:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

The worm looks for shared KaZaA directory with a registry entry and copies itself in it as:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
%random file name%

with the extension:
.bat
.exe
.pif
.scr

It copies itself in all shared network directories as one of the following:
CD-Cover Editor 2.6.exe
Zealot All Video Splitter 1.1.9.zip.exe
Backup Made Simple 5.1.58 crack.exe
Zealot.exe
ReadMe.exe
SetUp.exe
GBA-Shell.exe
picture.JPG.pif
256MFX5600.txt.pif
Prescott.scr
install.exe
AMD 2600 test.zip.exe
Norton Antivirus crack.exe
PC-Cillin readme.txt.exe
command.com
NTDETECT.COM

It uses the following passwords, for accessing local networks of other computers and for logging as administrator:

Guest

Administrator

zxcv

yxcv

xxx

win

test123

test

temp123

temp

sybase

super

sex

secret

pwd

pw123

Password

owner

oracle

mypc123

mypc

mypass123

mypass

love

login

Login

Internet

home

godblessyou

god

enable

database

computer

alpha

admin123

Admin

abcd

aaa

88888888

2600

2003

2002

123asd

123abc

123456789

1234567

123123

121212

11111111

110

007

00000000

000000

pass

54321

12345

password

passwd

server

sql

!@#$%^&*

!@#$%^&

!@#$%^

!@#$%

asdfgh

asdf

!@#$

1234

111

root

abc123

12345678

abcdefg

abcdef

abc

888888

666666

111111

admin

administrator

guest

654321

123456

321

123

If access succeeds, the worm copies itself as:
\\%network Computername%\admin$\systemdir\NetManager32.exe and opens the file "Management Service Extension".

Technical DetailsWhen activated, Worm/Lovgate.T is copied as read-only, hidden, system files:
%WinDIR%\Systra.exe
%SystemDIR%\iexplore.exe
%SystemDIR%\Media32.exe
%SystemDIR%\RAVMOND.exe
%SystemDIR%\WinHelp.exe
%SystemDIR%\Kernel66.dll,

It creates AUTORUN.INF in start directory on all drives, except for the CD-ROM drive and copies itself as COMMAND.EXE in these directories.

Then, it creates a .zip file (%filename%.%ext%) in start directory of all drives, except for drives A: and B:. The %filename% can be:
WORK
setup
Important
bak
letter
pass

and the %ext%:
RAR
ZIP

This .zip file contains a worm copy, that can have the following names:
WORK
setup
Important
book
email
PassWord

and extension:
exe
com
pif
scr

Then, it creates the following files:
%System%\ODBC16.dll (53,760 Bytes)
%System%\msjdbc11.dll (53,760 Bytes)
%System%\MSSIGN30.DLL (53,760 Bytes)

These are all backdoor components of the worm.
It changes the registry entry:
HKEY_CLASSES_ROOT\exefile\shell\open\command
into: %SystemDIR%\Media32.exe "%1" %*
Thus, the worm is activated every time an .exe file is opened.

It also terminates all processes containing the following strings:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

It makes the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Program in Windows"="%SystemDIR%\iexplore.exe""VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg""WinHelp"="%SystemDIR%\WinHelp.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run"="RAVMOND.exe" (for autostart). HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "Systemtra"="%WinDIR%\Systra.exe" (for autostart, as service.)
Eventually, the following entry is made:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

Then it performs a backdoor routine on port 6000. The routine steals information from a compressed system and saves it in C:\Netlog.txt. Then, the worm sends this information to an email address.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .