Alias:Win32/Lovgate.A@mm [RAV], W32/Lovgate.a@M [McAfee], I-Worm.Supnot.b [KAV]
Type:Worm 
Size:77,312 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. Backdoor component. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:High 

DistributionThe worm has its own SMTP engine and sends itself to all email addresses it can find on the infected computer. It also spreads over the network drives of the infected system.
The backdoor component of Worm/Lovegate saves keylogging information and passwords into the following files:
win32pwd.sys
win32add.sys
and sends this information to the email addresses:
'hello_dll@163.com' and 'hacker117@163.com'.

Over port 10168 a user, using the same Client program, can make various changes into the infected system.

Subject:
Documents
Roms
Pr0n!
Evaluation copy
Help
Beta
Do not release
Last Update
The patch
Cracks!

Body:
I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
Send me your comments...
Test this ROM! IT ROCKS!.
Adult content!!! Use with parental advisory.
Test it 30 days for free.
I'm going crazy... please try to find the bug!.
Send reply if you want to be official beta tester.
This is the pack ;)
This is the last cumulative update.
I think all will work fine.
Check our list and mail your requests!

Attachment:
Docs.exe
Roms.exe
Sex.exe
Setup.exe
Source.exe
_SetupB.exe
Pack.exe
LUPdate.exe
Patch.exe
CrkList.exe

Technical DetailsApart from the massmailer function, this worm can spread through Windows components and steal passwords. It is packed with ASP and copies itself into the following files:
fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe

It tests the following user names and passwords, if the netresources are protected:

User name:
guest
Administrator

Password:
"" (empty password)
"guest"
"123"
"321"
"123456"
"654321"
"administrator"
"admin"
"111111"
"666666"
"888888"
"abc"
"abcdef"
"abcdefg"
"12345678"
"abc123"

If access succeeds, the worm is copied as "stg.exe" in Windows "System32" archive and it tries to activate it.

The worm copies itself in Windows system directory, with the following names:
C:\%WinDIR%\%SystemDIR%\WinGate.exe
C:\%WinDIR%\%SystemDIR%\WinRpcsrc.exe
C:\%WinDIR%\%SystemDIR%\SysHelp.exe
C:\%WinDIR%\%SystemDIR%\WinPrc.exe
C:\%WinDIR%\%SystemDIR%\RpcSrv.exe

and makes the following .dll files in Windows System:
C:\%WinDIR%\%SystemDIR%\1.DLL
C:\%WinDIR%\%SystemDIR%\ily.dll
C:\%WinDIR%\%SystemDIR%\reg.dll
C:\%WinDIR%\%SystemDIR%\Task.dll
C:\%WinDIR%\%SystemDIR%\win32vxd.dll

Worm/Lovegate makes the registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe""WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell""Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg [HKEY_CLASSES_ROOT\txtfile\shell\open\command]@="winrpc.exe %1"

If it has keylogging functions and saves information, it collects it in the following files:
win32pwd.sys
win32add.sys

The worm is activated every time a text file is double-clicked.
This version also creates the keyloger DLL: %WinsysDIR%\win32vxd.dll
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .