English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Lovgate.W.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Lovgate.W.1 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Lovgate.W.1
Date discovered:
05/04/2004
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Low
Static file:
Yes
File size:
61.440 Bytes
MD5 checksum:
068ab7aff165eaf4a6b5d1f5efc5779d
VDF version:
6.24.00.87
- Mon, 05 Apr 2004 17:00 (GMT+1)
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Lovgate.R@mm
• Mcafee: W32/Lovgate.x@MM
• Kaspersky: Email-Worm.Win32.LovGate.x
• TrendMicro: WORM_LOVGATE.V
• Sophos: W32/Lovgate-V
• Grisoft: I-Worm/Lovgate.X
• VirusBuster: I-Worm.Lovgate.AP
• Eset: Win32/Lovgate.Z
• Bitdefender: Win32.Lovgate.V@mm
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Makes use of software vulnerability
Files
It copies itself to the following location:
•
%SYSDIR%
\spollsv.exe
Registry
The following registry key is added in order to run the process after reboot:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Shell Extension"="
%SYSDIR%
\spollsv.exe"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
Exploit:
It makes use of the following Exploit:
–
MS03-026
(Buffer Overrun in RPC Interface)
IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
Backdoor
The following port is opened:
–
%SYSDIR%
\spollsv.exe on a random TCP port in order to provide an FTP server.
See a brief description
here
.
Description inserted by Irina Boldea on Wed, 17 May 2006 11:57 (GMT+1)
Description updated by Irina Boldea on Wed, 17 May 2006 12:06 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
W32/Elkern.C
Worm/Mytob.AD
Worm/Kidala.G
Worm/Mytob.AT
TR/Drop.MuJoin.AF
PHISH/CrediCard
TR/Autorun.afj
BDS/Agent.qfh.1
TR/Dldr.FraudLoa.NC
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Lovgate.W.1
Print this page
.gif)
