Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Supnot, I-Worm.Supnot
Type:Worm 
Size:84,992 bytes 
Origin:unknown 
Date:02-24-2003 
Damage: 
VDF Version:  
Danger:Medium 
Distribution:Medium 

General DescriptionWorm/Lovegate copies itself under many names in Windows system folder, spreads itself over shared drives and sends itself by email.

SymptomsA backdoor component is installed and opens the port 10168 on the infected computer.

DistributionThe worm has its own SMTP engine and sends itself to all email addresses it finds on the infected computer. It also spreads over network drives from the infected computer.

Technical DetailsWorm/Lovegate (84,882 bytes) is a mass mailer packed with ASPack. It spreads both by email and over network drives and has a backdoor component. If the worm finds a shared network drive, it copies itself on this with the following names:

billgt.exe, Card.EXE, docs.exe, fun.exe, hamster.exe, humor.exe, images.exe, joke.exe, midsong.exe, news_doc.exe, pics.exe, PsPGame.exe, s3msong.exe, searchURL.exe, SETUP.EXE, tamagotxi.exe

After it has been activated, the worm copies itself in the system folder, with the names:

* C:\<%WINDOWS_DIR%>\<%SYSTEM_DIR%>\WinGate.exe
* C:\<%WINDOWS_DIR%>\<%SYSTEM_DIR%>\WinRpcsrc.exe
* C:\<%WINDOWS_DIR%>\<%SYSTEM_DIR%>\SysHelp.exe
* C:\<%WINDOWS_DIR%>\<%SYSTEM_DIR%>\WinPrc.exe
* C:\<%WINDOWS_DIR%>\<%SYSTEM_DIR%>\RpcSrv.exe

Worm/Lovegate makes the following entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

and

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

The last entry ensures that the worm will be opened and run on a double-click as a .TXT file.

The Win.ini will be changed:
Run=rpcsrv.exe

The backdoor component of the worm saves key-logging information and passwords in the following files:

* win32pwd.sys
* win32add.sys

and sends them to the email addresses 'hello_dll@163.com' and 'hacker117@163.com'.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* WinGate.exe
* WinRpcsrc.exe
* SysHelp.exe
* WinPrc.exe
* RpcSrv.exe
* 1.DLL
* ily.dll
* reg.dll
* Task.dll
* win32vxd.dll

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* WinGate.exe
* WinRpcsrc.exe
* SysHelp.exe
* WinPrc.exe
* RpcSrv.exe
* 1.DLL
* ily.dll
* reg.dll
* Task.dll
* win32vxd.dll

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"syshelp"="C:\\WINDOWS\\SYSTEM\\syshelp.exe"
"WinGate initialize"="C:\\WINDOWS\\SYSTEM\\WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="winrpc.exe %1"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .