Alias:I-Worm.LovGate.i, W32/Lovgate, W95/Lovgate.L@mm
Type:Worm 
Size:variable 
Origin: 
Date:00-00-0000 
Damage:Spreads by email and shared netresources. Backdoor component. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm replies to unread messages in Microsoft Outlook or in Outlook Express Inbox. The reply email looks like below:

Subject: Re: Original Subject
Body: ====== Original Body ======
Attachment:
Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

The worm also sends emails to the addresses it can find in files of type *.ht*. This email looks like below:

Subject:
Reply to this!
Lt's Laugh
Last Update
For you
Great
Help
Attached one Gift for u..
Hi Dear
Hi
See the attachement

Body:
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery software(Exim).
It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer about Friday night.
Send me your comments...

Attachment:
About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
nteresting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr

Technical DetailsWhen activated, Worm/Lovegate.I creates the following files:
C:\%WinDIR%\DRWTSN16.EXE (infected part: 49,152 Bytes) C:\%WinDIR%\%SystemDIR%\IEXPLORE.EXE (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\RAVMOND.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\WinDriver.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\WinGate.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\kernel66.dll (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winexe.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winrpc.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\winhelp.exe (worm copy: 127,488 Bytes) C:\%WinDIR%\%SystemDIR%\Task688.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\111.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\ily668.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\reg678.dll (BackDoor-AQJ: 59,392 Bytes) C:\%WinDIR%\%SystemDIR%\win32vxd.dll (BackDoor-AQJ: 32,768 Bytes)

It also creates, in C:\%WinDIR%\Temp, files with random names and the following extensions:
.rm.exe
.htm.exe
.dat.exe
.mp3.exe
.gif.exe
.jpg.exe
.doc.exe
.avi.exe

The worm looks for active processes and then it deletes those containing the following strings:
RISING
SKYNET
SYMANTEC
MCAFEE
GATE
RFW.EXE
RAVMON.EXE
KILL
NAV
DUBA
KAV
KV

It changes the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares "GAME" = C:\WINNT\TEMP
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run" = RAVMOND.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinHelp" = C:\WINNT\System32\WinHelp.exe
HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = C:\WINNT\System32\winexe.exe "%1" %*

Under Windows NT/2000, the worm is installed as two services:
"Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE) - this service was not installed in testing.
"Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

Other services are created for the backdoor component. They are named:
ll_reg (set to run TASK688.dll)
NetMeeting Remote Desktop (RPC) Sharing (set to run TASK688.dll).

The worm infects PE files, by inserting an infected sector (DTWTSN16.EXE)and a worm copy. In the end, the files have three parts:
INFECTED SECTOR | ORIGINAL PE | WORM COPY. The infected files are up to 200 Bytes.

The worm tries to access shared systems, using the following passwords:
(no password) 0 1 7 12 110 111 123 321 1234 2002 2003 2600 12345 54321 111111 121212 123123 123456 654321 666666 888888 1234567 11111111 12345678 88888888 123456789 !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* 123abc 123asd a aaa abc abc123 abcd abcdef abcdefg Admin admin admin123 administrator Administrator alpha asdf asdfgh computer database enable god godblessyou Guest home Internet login Login love mypass mypass123 mypc mypc123 oracle owner pass passwd Password password pc pw pw123 pwd root secret server sex sql super sybase temp temp123 test test123 win xp xxx yxcv zxcv

If access succeeds, the worm copies itself in all accessed directories, with the following file names:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe

Backdoor Component: The following email address is used for sending information through port 20168: hello_dll@163.com
Описание добавил Crony Walker в(о) вторник, 15 июня 2004 г.

Назад . . . .
 
 
 
 

© 2012 Avira Operations GmbH & Co. KG. Все права защищены.