登录
欢迎您,
Language:
简体中文
English
Deutsch
Français
Español
Italiano
Nederlands
Português
Türkçe
Русский
日本語
简体中文
繁體中文
한국어
欲了解有关我们公司和产品的更多信息,
请访问我们的全球网站
。
个人及家庭防护
企业信息安全
技术支持
联系我们
Search
总结
完整说明
统计数据
Alias:
W32/Lovgate.j@MM, PE_LOVGATE.J, Supnot
Type:
Worm
Size:
127,488 kbytes (ASPack)
Origin:
unknown
Date:
05-13-2003
Damage:
VDF Version:
6.19.00.15
Danger:
Medium
Distribution:
Low
General Description
Worm/Lovgate.J is a version of Lovgate.F and was programmed in C++. It has a file size of 127,488 bytes and is packed with ASPACK. The worm is a mass mailer, which finds the email addresses it needs, in all files with the extension .HT*. The subject and the attachment of the email look like lists of random words. Worm/Lovgate.J copies itself in many files on different folders and on all mapped network drives found in the system. It carries a backdoor component, for the Port 10168.
Symptoms
- Opens the port 10168 on the infected system
- The files named below
Distribution
The virus spreads via email and shared network drives and copies itself in Outlook Inbox.
Technical Details
When activated, Worm/Lovgate.J copies itself in Windows (in Microsoft Windows 9x Systems \Windows\System\ and in Microsoft Windows NT Systems in Windows\System32\ or in Winnt\System32\) with the following filenames:
* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)
Also, the backdoor component's files are copied:
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll
The worm makes the following registry entry:
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"
* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"
* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"
When the worm has infected the Windows system, it looks for mapped network drives on which it copies itself with the following names:
* Are you looking for Love.doc.exe
* MSN Password Hacker and Stealer.exe
* AN-YOU-SUCK-IT.txt.pif
* 100 free essays school.pif
* Winrar + crack.exe
* Age of empires 2 crack.exe
* The world of lovers.txt.exe
* autoexec.bat
* Sex_For_You_Life.JPG.pif
* Star Wars II Movie Full Downloader.exe
* Panda Titanium Crack.zip.exe
* How To Hack Websites.exe
* SIMS FullDownloader.zip.exe
* CloneCD + crack.exe
* Mafia Trainer!!!.exe
Afterwards, the worm looks for other computers in the network, where it can log on as administrator or guest. For this, it uses a list of passwords it carries:
zxcv, yxcv, xxx, win, test123, test, temp123, temp, sybase, super, sex, secret, pwd, pw123, Password, owner, oracle, mypc123, mypc, mypass123, mypass, love, login, Login, Internet, home, godblessyou, god, enable, database, computer, alpha, admin123, Admin, abcd, aaa, 88888888, 2600, 2003, 2002, 123asd, 123abc, 123456789, 1234567, 123123, 121212, 11111111, 110, 007, 00000000, 000000, pass, 54321, 12345, password, passwd, server, sql, !@#$%^&*, !@#$%^&, !@#$%^ , !@#$%, asdfgh, asdf, !@#$, 1234, 111, root, abc123, 12345678, abcdefg, abcdef, abc, 888888 ,666666 ,111111, admin, administrator, guest, 654321, 123456, 321, 123
If the worm succeeded in logging to these computers as administrator or guest, it copies itself as:
* NetServices.exe
* WinDriver.exe
and runs the file "NetServices.exe" under "Microsoft Network FireWall Services". For the file "WinDriver.exe" it enters a new service:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Instrumentation Driver Extension]
When the system is restarted, the new service will be run and so the computer will be infected.
The contents of the emails sent by Lovgate.J are very different:
Subject:
Reply to this!
Body:
Copy of your message, including all the headers is
attached.
Attachment:
Doom3 Preview!!!.exe
or
Subject:
Last Update
Body:
Send me your comments...
Attachment:
About_Me.txt.pif
or
Subject:
Hi Dear
Body:
Hart (Zellweger), who shoots her unfaithful lover
(West).
Attachment:
images.pif
or
Subject:
Help
Body:
For further assistance, please contact!
Attachment:
Interesting.exe
Worm/Lovgate.J can also reply to the messages found in Outlook 'Inbox' sending an infected attachment:
Subject:
Re: <%ORGINAL_SUBJECT%>
Body:
<%NAME_of_SENDER%> wrote:
===
> <%ORGINAL_MESSAGE%>
>
===
<%NAME_of_RECIPIENT%> auto-replay:
> Get your FREE <%ORGINAL_SENDER_HOSTNAME%>
now! <
If you can keep your head when all about you
Are losing theirs and blamin it on you;
If you can trust yourself when all men doubt you,
But make allowance for thier doubting too;
If you can wait and not be tired by waiting,
Or, beeing lied about, don't deal in lies,
Or, beeing hated, don'tgibe way to hating,
And yet don't look to good, nor talk to wise;
... ... more look to attachment
Attachment:
the hardcore game-.pif
Deutsch BloodPatch!.exe
Me_nude.AVI.pif
How to Crack all gamez.exe
SETUP.EXE
joke.pif
s3msong.MP3.pif
Shakira.zip.exe
Sex in Office.rm.scr
StarWars2 -
CloneAttack.rm.scr
Manual Remove Instructions
- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll
* NetServices.exe
* WinDriver.exe
Start "regedit" after that and delete the following registry entries:
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"
* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"
* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"
* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Management Instrumentation Driver Extension]
Restart your computer.
- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* Ravmond.exe
* Iexplore.exe
* WinGate.exe
* WinDriver.exe
* Winrpc.exe
* Winhelp.exe
* winexe.exe
* Kernel66.dll ('Read Only' / 'Hidden' / 'System' rights set)
* Task688.dll
* Reg678.dll
* Ily668.dll
* Win32vxd.dll
* NetServices.exe
* WinDriver.exe
Start "regedit" after that and delete the following registry entries:
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM
\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"
"Program in Windows"="%system%\iexplore.exe"
* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"
* [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="winexe.exe %1"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\Windows]
"run"="RAVMOND.EXE"
* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Management Instrumentation Driver Extension]
Restart your computer.
说明添加者: Crony Walker 打开 2004年6月15日星期二
反馈
.
.
.
.
我的帐户
https
://
为了你的安全,此窗口已加密。
登录
忘记密码
重置密码
我的个人资料
产品
付款历史记录
通知
密码重置
联系我们
注销
