McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Lovgate.G@mm (Symantec)

• W32/LovGate.F-m (MessageLabs)

• Win32.Lovgate.F (CA)

• WORM_LOVGATE.F (Trend)

Characteristics

---Update 05/13/2003----
A new variant of this virus (W32/Lovgate.j@M) has been reported. This variant is detected as W32/Lovgate.gen@M with the 4254 DATs or greater (with scan compressed files enabled).

---Update 03/28/2003----
Due to media attention AVERT needs to stress that detection for both W32/Lovgate.f@M and W32/Lovgate.g@M was included in the 4254 DATS. The two variants are very similar in characterisitics and the only difference is the file sizes.

This variant does not function properly on Windows9x/ME operating systems. This worm propagates via email (it contains its own SMTP engine) and copying itself over network shares. Additionally it may drop a backdoor component (using TCP Port 20168). This trojan gives a remote attacker console access to the compromised system.

Email propagation
The worm replies to unread messages in the Mircosoft Outlook and Outlook Express inbox. The messages are sent as follows:

Subject: Re: Original subject
Body:

======
original message body
======
sender's domain account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE sender's domain now! <

Attachment: (one of the following)

• Britney spears nude.exe.txt.exe
• Deutsch BloodPatch!.exe
• dreamweaver MX (crack).exe
• DSL Modem Uncapper.rar.exe
• How to Crack all gamez.exe
• I am For u.doc.exe
• Industry Giant II.exe
• joke.pif
• Macromedia Flash.scr
• Me_nude.AVI.pif
• s3msong.MP3.pif
• SETUP.EXE
• Sex in Office.rm.scr
• Shakira.zip.exe
• StarWars2 - CloneAttack.rm.scr
• the hardcore game-.pif

The worm also attempts to harvest email addresses from MAILTO links within *.HT* documents found on the infected system. It sends those recipients one of the following messages:

Subject: Reply to this!
Body: For further assistance, please contact!
Attachment: About_Me.txt.pif
or
Subject: Let's Laugh
Body: Copy of your message, including all the headers is attached.
Attachment: driver.exe
or
Subject: Last Update
Body: This is the last cumulative update.
Attachment: Doom3 Preview!!!.exe
or
Subject: For you
Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Attachment: enjoy.exe
or
Subject: Great
Body: Send reply if you want to be official beta tester.
Attachment: YOU_are_FAT!.TXT.pif
or
Subject: Help
Body: This message was created automatically by mail delivery software (Exim).
Attachment: Source.exe
or
Subject: Attached one Gift for u..
Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Attachment: nteresting.exe
or
Subject: Hi Dear
Body: Adult content!!! Use with parental advisory.
Attachment: README.TXT.pif
or
Subject: Hi
Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment: images.pif
or
Subject: See the attachement
Body: Send me your comments...
Attachment: Pics.ZIP.scr

Running the virus
When executed, the worm copies itself to the %System% folder as:

• IEXPLORE.EXE
• kernel66.dll
• NetServices.exe
• RAVMOND.exe
• WinDriver.exe
• WinGate.exe
• WinHelp.exe
• winrpc.exe

The backdoor component may also be dropped to the %System% directory (multiple times with various filenames):

• 111.dll
• ily668.dll
• reg678.dll
• Task688.dll

This behavior was only observed in testing on Windows NT/2000 systems, and the file length is 81,920 bytes.

(Note: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

The following Registry keys are added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  "run" = RAVMOND.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WinHelp" = C:\WINNT\System32\WinHelp.exe

The following Registry key is modified to hook the execution of text files:

• HKEY_CLASSES_ROOT\txtfile\shell\open\command
  (Default) = "winrpc.exe %1"

When executed on Windows NT/2000, the worm installs itself as 2 services, with the display names:

• "Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE)
• "Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

One of the dropped backdoor components (TASK688.DLL) is also installed as two services, with the following display names:

1. ll_reg
2. NetMeeting Remote Desktop (RPC) Sharing

The worm also modifies the WIN.INI by adding a 'Run' command as follows:

windows]
run=RAVMOND.exe

Share propagation
The worm attempts to gain access to the IPC$ share on remote systems by using the local user credentials first and then attempts a dictionary style attack. The following passwords are used in the attack:

• (no password)
• 0
• 1
• 7
• 12
• 110
• 111
• 123
• 321
• 1234
• 2002
• 2003
• 2600
• 12345
• 54321
• 111111
• 121212
• 123123
• 123456
• 654321
• 666666
• 888888
• 1234567
• 11111111
• 12345678
• 88888888
• 123456789
• !@#$
• !@#$%
• !@#$%^
• !@#$%^&
• !@#$%^&*
• 123abc
• 123asd
• a
• aaa
• abc
• abc123
• abcd
• abcdef
• abcdefg
• Admin
• admin
• admin123
• administrator
• alpha
• asdf
• asdfgh
• computer
• database
• enable
• god
• godblessyou
• guest
• home
• Internet
• login
• Login
• love
• mypass
• mypass123
• mypc
• mypc123
• oracle
• owner
• pass
• passwd
• Password
• password
• pc
• pw
• pw123
• pwd
• root
• secret
• server
• sex
• sql
• super
• sybase
• temp
• temp123
• test
• test123
• win
• xp
• xxx
• yxcv
• zxcv

The worm then copies itself to all accessible shares, using the following filenames:

• 100 free essays school.pif
• Age of empires 2 crack.exe
• AN-YOU-SUCK-IT.txt.pif
• Are you looking for Love.doc.exe
• autoexec.bat
• CloneCD + crack.exe
• How To Hack Websites.exe
• Mafia Trainer!!!.exe
• MoviezChannelsInstaler.exe
• MSN Password Hacker and Stealer.exe
• netservices.exe
• Panda Titanium Crack.zip.exe
• Sex_For_You_Life.JPG.pif
• SIMS FullDownloader.zip.exe
• Star Wars II Movie Full Downloader.exe
• The world of lovers.txt.exe
• Winrar + crack.exe

Backdoor Component
The worm may drop a trojan component, which is detected by the 4254 DATs and higher as Backdoor-AQJ. When the worm is run with the -remoteshell parameter, the backdoor opens port 20168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following addresses are intended as the notification recipient:

• yf23668@163.com
• hello_zyx@163.com
• hello_dll@163.com
• ab89d@yahoo.com.cn

Information about the infected machine is also sent to the hacker. This information may include the system password.

Symptoms

- Presence of the aforementioned files
- System listening on TCP Port 20168
- A side effect of this threat may result in the virus being copied to print queues, resulting in many pages of binary data being printed out

Method of Infection

This worm spreads via email and via network shares.

Removal

All Users:
Use specified engine and DAT files for detection. Removal requires the 4.2.40 engine.

Modifications made to the system registry and/or INI files will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

This following registry script is available to remove the registry values created by this threat (not required for 4.2.40 users when cleaning in the Windows environment).

• FixLovgate.reg

A backdoor .DLL file is injected into the LSASS.EXE process, which prevents it from being deleted. This file will be detected as BackDoor-AQJ and removed with the 4.2.40 engine.

Stinger can be used to remove W32/Lovgate@M and BackDoor-AQJ completely, without requiring a reboot. However, the services created by the virus will appear in the Services Control Panel until the next reboot.

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Lovgate.g@M

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Lovgate.G@mm (Symantec)

• W32/LovGate.F-m (MessageLabs)

• Win32.Lovgate.F (CA)

• WORM_LOVGATE.F (Trend)

Characteristics

Characteristics -

---Update 05/13/2003----
A new variant of this virus (W32/Lovgate.j@M) has been reported. This variant is detected as W32/Lovgate.gen@M with the 4254 DATs or greater (with scan compressed files enabled).

---Update 03/28/2003----
Due to media attention AVERT needs to stress that detection for both W32/Lovgate.f@M and W32/Lovgate.g@M was included in the 4254 DATS. The two variants are very similar in characterisitics and the only difference is the file sizes.

This variant does not function properly on Windows9x/ME operating systems. This worm propagates via email (it contains its own SMTP engine) and copying itself over network shares. Additionally it may drop a backdoor component (using TCP Port 20168). This trojan gives a remote attacker console access to the compromised system.

Email propagation
The worm replies to unread messages in the Mircosoft Outlook and Outlook Express inbox. The messages are sent as follows:

Subject: Re: Original subject
Body:

======
original message body
======
sender's domain account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE sender's domain now! <

Attachment: (one of the following)

• Britney spears nude.exe.txt.exe
• Deutsch BloodPatch!.exe
• dreamweaver MX (crack).exe
• DSL Modem Uncapper.rar.exe
• How to Crack all gamez.exe
• I am For u.doc.exe
• Industry Giant II.exe
• joke.pif
• Macromedia Flash.scr
• Me_nude.AVI.pif
• s3msong.MP3.pif
• SETUP.EXE
• Sex in Office.rm.scr
• Shakira.zip.exe
• StarWars2 - CloneAttack.rm.scr
• the hardcore game-.pif

The worm also attempts to harvest email addresses from MAILTO links within *.HT* documents found on the infected system. It sends those recipients one of the following messages:

Subject: Reply to this!
Body: For further assistance, please contact!
Attachment: About_Me.txt.pif
or
Subject: Let's Laugh
Body: Copy of your message, including all the headers is attached.
Attachment: driver.exe
or
Subject: Last Update
Body: This is the last cumulative update.
Attachment: Doom3 Preview!!!.exe
or
Subject: For you
Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Attachment: enjoy.exe
or
Subject: Great
Body: Send reply if you want to be official beta tester.
Attachment: YOU_are_FAT!.TXT.pif
or
Subject: Help
Body: This message was created automatically by mail delivery software (Exim).
Attachment: Source.exe
or
Subject: Attached one Gift for u..
Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Attachment: nteresting.exe
or
Subject: Hi Dear
Body: Adult content!!! Use with parental advisory.
Attachment: README.TXT.pif
or
Subject: Hi
Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment: images.pif
or
Subject: See the attachement
Body: Send me your comments...
Attachment: Pics.ZIP.scr

Running the virus
When executed, the worm copies itself to the %System% folder as:

• IEXPLORE.EXE
• kernel66.dll
• NetServices.exe
• RAVMOND.exe
• WinDriver.exe
• WinGate.exe
• WinHelp.exe
• winrpc.exe

The backdoor component may also be dropped to the %System% directory (multiple times with various filenames):

• 111.dll
• ily668.dll
• reg678.dll
• Task688.dll

This behavior was only observed in testing on Windows NT/2000 systems, and the file length is 81,920 bytes.

(Note: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

The following Registry keys are added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  "run" = RAVMOND.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WinHelp" = C:\WINNT\System32\WinHelp.exe

The following Registry key is modified to hook the execution of text files:

• HKEY_CLASSES_ROOT\txtfile\shell\open\command
  (Default) = "winrpc.exe %1"

When executed on Windows NT/2000, the worm installs itself as 2 services, with the display names:

• "Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE)
• "Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

One of the dropped backdoor components (TASK688.DLL) is also installed as two services, with the following display names:

1. ll_reg
2. NetMeeting Remote Desktop (RPC) Sharing

The worm also modifies the WIN.INI by adding a 'Run' command as follows:

windows]
run=RAVMOND.exe

Share propagation
The worm attempts to gain access to the IPC$ share on remote systems by using the local user credentials first and then attempts a dictionary style attack. The following passwords are used in the attack:

• (no password)
• 0
• 1
• 7
• 12
• 110
• 111
• 123
• 321
• 1234
• 2002
• 2003
• 2600
• 12345
• 54321
• 111111
• 121212
• 123123
• 123456
• 654321
• 666666
• 888888
• 1234567
• 11111111
• 12345678
• 88888888
• 123456789
• !@#$
• !@#$%
• !@#$%^
• !@#$%^&
• !@#$%^&*
• 123abc
• 123asd
• a
• aaa
• abc
• abc123
• abcd
• abcdef
• abcdefg
• Admin
• admin
• admin123
• administrator
• alpha
• asdf
• asdfgh
• computer
• database
• enable
• god
• godblessyou
• guest
• home
• Internet
• login
• Login
• love
• mypass
• mypass123
• mypc
• mypc123
• oracle
• owner
• pass
• passwd
• Password
• password
• pc
• pw
• pw123
• pwd
• root
• secret
• server
• sex
• sql
• super
• sybase
• temp
• temp123
• test
• test123
• win
• xp
• xxx
• yxcv
• zxcv

The worm then copies itself to all accessible shares, using the following filenames:

• 100 free essays school.pif
• Age of empires 2 crack.exe
• AN-YOU-SUCK-IT.txt.pif
• Are you looking for Love.doc.exe
• autoexec.bat
• CloneCD + crack.exe
• How To Hack Websites.exe
• Mafia Trainer!!!.exe
• MoviezChannelsInstaler.exe
• MSN Password Hacker and Stealer.exe
• netservices.exe
• Panda Titanium Crack.zip.exe
• Sex_For_You_Life.JPG.pif
• SIMS FullDownloader.zip.exe
• Star Wars II Movie Full Downloader.exe
• The world of lovers.txt.exe
• Winrar + crack.exe

Backdoor Component
The worm may drop a trojan component, which is detected by the 4254 DATs and higher as Backdoor-AQJ. When the worm is run with the -remoteshell parameter, the backdoor opens port 20168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following addresses are intended as the notification recipient:

• yf23668@163.com
• hello_zyx@163.com
• hello_dll@163.com
• ab89d@yahoo.com.cn

Information about the infected machine is also sent to the hacker. This information may include the system password.

Symptoms

Symptoms -

- Presence of the aforementioned files
- System listening on TCP Port 20168
- A side effect of this threat may result in the virus being copied to print queues, resulting in many pages of binary data being printed out

Method of Infection

Method of Infection -

This worm spreads via email and via network shares.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. Removal requires the 4.2.40 engine.

Modifications made to the system registry and/or INI files will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

This following registry script is available to remove the registry values created by this threat (not required for 4.2.40 users when cleaning in the Windows environment).

• FixLovgate.reg

A backdoor .DLL file is injected into the LSASS.EXE process, which prevents it from being deleted. This file will be detected as BackDoor-AQJ and removed with the 4.2.40 engine.

Stinger can be used to remove W32/Lovgate@M and BackDoor-AQJ completely, without requiring a reboot. However, the services created by the virus will appear in the Services Control Panel until the next reboot.

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Lovgate.g@M