Worm/LovGate.X.1 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/LovGate.X.1
Date discovered:	15/05/2006
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Low
Static file:	Yes
File size:	23.552 Bytes
MD5 checksum:	5d279f9a47a257d2804a926064d446c4
VDF version:	6.34.01.85
IVDF version:	6.34.01.86

General Method of propagation:
   • Local network

Aliases:
   • Kaspersky: Email-Worm.Win32.LovGate.x
   • Sophos: W32/Lovgate-V
   • VirusBuster: I-Worm.Lovgate.AP6
   • Eset: Win32/Lovgate.Z
   • Bitdefender: Win32.Lovgate.V@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Makes use of software vulnerability

Files It copies itself to the following location:
• %SYSDIR%\spollsv.exe

Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Shell Extension"="%SYSDIR%\spollsv.exe"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploit:
– MS03-026 (Buffer Overrun in RPC Interface)

IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

Backdoor The following port is opened:

– %SYSDIR%\spollsv.exe on a random TCP port in order to provide an FTP server.

See a brief description here.

Description inserted by Irina Boldea on Fri, 15 Sep 2006 16:01 (GMT+1)
Description updated by Irina Boldea on Mon, 18 Sep 2006 08:59 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back