Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Alias:W32/Lovgate.j@MM, PE_LOVGATE.J, Supnot
Type:Worm 
Size:127,488 kbytes (ASPack) 
Origin:unknown 
Date:05-13-2003 
Damage: 
VDF Version:6.19.00.15 
Danger:Medium 
Distribution:Low 

General DescriptionWorm/Lovgate.J is a version of Lovgate.F and was programmed in C++. It has a file size of 127,488 bytes and is packed with ASPACK. The worm is a mass mailer, which finds the email addresses it needs, in all files with the extension .HT*. The subject and the attachment of the email look like lists of random words. Worm/Lovgate.J copies itself in many files on different folders and on all mapped network drives found in the system. It carries a backdoor component, for the Port 10168.

Symptoms- Opens the port 10168 on the infected system
- The files named below

DistributionThe virus spreads via email and shared network drives and copies itself in Outlook Inbox.

Technical DetailsWhen activated, Worm/Lovgate.J copies itself in Windows (in Microsoft Windows 9x Systems \Windows\System\ and in Microsoft Windows NT Systems in Windows\System32\ or in Winnt\System32\) with the following filenames:
* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)

Also, the backdoor component's files are copied:
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll

The worm makes the following registry entry:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"

* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"

When the worm has infected the Windows system, it looks for mapped network drives on which it copies itself with the following names:
* Are you looking for Love.doc.exe
* MSN Password Hacker and Stealer.exe
* AN-YOU-SUCK-IT.txt.pif
* 100 free essays school.pif
* Winrar + crack.exe
* Age of empires 2 crack.exe
* The world of lovers.txt.exe
* autoexec.bat
* Sex_For_You_Life.JPG.pif
* Star Wars II Movie Full Downloader.exe
* Panda Titanium Crack.zip.exe
* How To Hack Websites.exe
* SIMS FullDownloader.zip.exe
* CloneCD + crack.exe
* Mafia Trainer!!!.exe

Afterwards, the worm looks for other computers in the network, where it can log on as administrator or guest. For this, it uses a list of passwords it carries:
zxcv, yxcv, xxx, win, test123, test, temp123, temp, sybase, super, sex, secret, pwd, pw123, Password, owner, oracle, mypc123, mypc, mypass123, mypass, love, login, Login, Internet, home, godblessyou, god, enable, database, computer, alpha, admin123, Admin, abcd, aaa, 88888888, 2600, 2003, 2002, 123asd, 123abc, 123456789, 1234567, 123123, 121212, 11111111, 110, 007, 00000000, 000000, pass, 54321, 12345, password, passwd, server, sql, !@#$%^&*, !@#$%^&, !@#$%^ , !@#$%, asdfgh, asdf, !@#$, 1234, 111, root, abc123, 12345678, abcdefg, abcdef, abc, 888888 ,666666 ,111111, admin, administrator, guest, 654321, 123456, 321, 123

If the worm succeeded in logging to these computers as administrator or guest, it copies itself as:
* NetServices.exe
* WinDriver.exe

and runs the file "NetServices.exe" under "Microsoft Network FireWall Services". For the file "WinDriver.exe" it enters a new service:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Instrumentation Driver Extension]

When the system is restarted, the new service will be run and so the computer will be infected.

The contents of the emails sent by Lovgate.J are very different:

Subject:
Reply to this!
Body:
Copy of your message, including all the headers is
attached.
Attachment:
Doom3 Preview!!!.exe

or
Subject:
Last Update
Body:
Send me your comments...
Attachment:
About_Me.txt.pif

or
Subject:
Hi Dear
Body:
Hart (Zellweger), who shoots her unfaithful lover
(West).
Attachment:
images.pif

or
Subject:
Help
Body:
For further assistance, please contact!
Attachment:
Interesting.exe

Worm/Lovgate.J can also reply to the messages found in Outlook 'Inbox' sending an infected attachment:

Subject:
Re: <%ORGINAL_SUBJECT%>

Body:
<%NAME_of_SENDER%> wrote:
===
> <%ORGINAL_MESSAGE%>
>
===
<%NAME_of_RECIPIENT%> auto-replay:

> Get your FREE <%ORGINAL_SENDER_HOSTNAME%>
now! <

If you can keep your head when all about you
Are losing theirs and blamin it on you;
If you can trust yourself when all men doubt you,
But make allowance for thier doubting too;
If you can wait and not be tired by waiting,
Or, beeing lied about, don't deal in lies,
Or, beeing hated, don'tgibe way to hating,
And yet don't look to good, nor talk to wise;
... ... more look to attachment

Attachment:
the hardcore game-.pif
Deutsch BloodPatch!.exe
Me_nude.AVI.pif
How to Crack all gamez.exe
SETUP.EXE
joke.pif
s3msong.MP3.pif
Shakira.zip.exe
Sex in Office.rm.scr
StarWars2 -
CloneAttack.rm.scr

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll
* NetServices.exe
* WinDriver.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"

* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"

* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Management Instrumentation Driver Extension]

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll
* NetServices.exe
* WinDriver.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"

* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"

* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Management Instrumentation Driver Extension]

Restart your computer.
Описание добавил Crony Walker в(о) вторник, 15 июня 2004 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.