Content

W32/Lovgate.j@M

Type
Virus
SubType
Worm
Discovery Date
05/12/2003
Length
127.488 bytes
Infected files +176,648 bytes
Minimum DAT
4254 (03/26/2003)
Updated DAT
4907 (11/29/2006)
Minimum Engine
5.1.00
Description Added
05/13/2003
Description Modified
05/15/2003 11:48 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

NB: This variant of W32/Lovgate is proactively detected as W32/Lovgate.gen@M with the 4254 DATs or greater (with scan compressed files enabled). The virus will be specifically identified as W32/Lovgate.j@M with the 4264 DATs.

This is a new variant of W32/Lovgate. It bears similarities to previous W32/Lovgate variants:

  • it copies itelf over network shares
  • it mails itelf, replying to unread messages in the Microsoft Outlook and Outlook Express inboxes
  • it drops a backdoor component (detected as BackDoor-AQJ)

However, in addition this variant infects executables on the victim machine (and network shares).

Email propagation

The worm replies to unread messages in the Microsoft Outlook and Outlook Express inbox.

Email messages are constructed as for W32/Lovgate.f@M:

Subject: Re: Original subject
Body:

======
original message body
======
sender's domain account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE sender's domain now! <

Attachment: (one of the following)

  • Britney spears nude.exe.txt.exe
  • Deutsch BloodPatch!.exe
  • dreamweaver MX (crack).exe
  • DSL Modem Uncapper.rar.exe
  • How to Crack all gamez.exe
  • I am For u.doc.exe
  • Industry Giant II.exe
  • joke.pif
  • Macromedia Flash.scr
  • Me_nude.AVI.pif
  • s3msong.MP3.pif
  • SETUP.EXE
  • Sex in Office.rm.scr
  • Shakira.zip.exe
  • StarWars2 - CloneAttack.rm.scr
  • the hardcore game-.pif
The worm also attempts to harvest email addresses from MAILTO links within *.HT* documents found on the infected system. It sends those recipients one of the following messages:

Subject: Reply to this!
Body: For further assistance, please contact!
Attachment: About_Me.txt.pif
or
Subject: Let's Laugh
Body: Copy of your message, including all the headers is attached.
Attachment: driver.exe
or
Subject: Last Update
Body: This is the last cumulative update.
Attachment: Doom3 Preview!!!.exe
or
Subject: For you
Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Attachment: enjoy.exe
or
Subject: Great
Body: Send reply if you want to be official beta tester.
Attachment: YOU_are_FAT!.TXT.pif
or
Subject: Help
Body: This message was created automatically by mail delivery software (Exim).
Attachment: Source.exe
or
Subject: Attached one Gift for u..
Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Attachment: nteresting.exe
or
Subject: Hi Dear
Body: Adult content!!! Use with parental advisory.
Attachment: README.TXT.pif
or
Subject: Hi
Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment: images.pif
or
Subject: See the attachement
Body: Send me your comments...
Attachment: Pics.ZIP.scr

Installation

When executed, the worm drops multiple files on the victim machine, including multiple copies of itself:

  • c:\WINNT\DRWTSN16.EXE (infector stub: 49,152 bytes)
  • c:\WINNT\system32\IEXPLORE.EXE (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\RAVMOND.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\WinDriver.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\WinGate.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\kernel66.dll (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\winexe.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\winrpc.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\winhelp.exe (copy of the worm: 127,488 bytes)
  • c:\WINNT\system32\Task688.dll (dropped BackDoor-AQJ: 59,392 bytes)
  • c:\WINNT\system32\ily668.dll (dropped BackDoor-AQJ: 59,392 bytes)
  • c:\WINNT\system32\reg678.dll (dropped BackDoor-AQJ: 59,392 bytes)
  • c:\WINNT\system32\win32vxd.dll (dropped BackDoor-AQJ: 32,768 bytes)

In the c:\WINNT\Temp folder, there are also several files whose name begins with a random length and combination of letters, but with the following consistent extensions:

  • .rm.exe
  • .htm.exe
  • .dat.exe
  • .mp3.exe
  • .gif.exe
  • .jpg.exe
  • .doc.exe
  • .avi.exe
A network share "GAME" is created on the C:\WINNT\Temp folder. The permissions are set to "Everyone-->full control"

The following registry keys are modified to reflect this share:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
"GAME" = C:\WINNT\TEMP

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run" = RAVMOND.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinHelp" = C:\WINNT\System32\WinHelp.exe

The following Registry key is modified to hook the execution of text files:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = "winrpc.exe %1"

The following Registry key is modified to hook the execution of executable files:

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = C:\WINNT\System32\winexe.exe "%1" %*

When executed on Windows NT/2000, the worm is intended to install itself as 2 services, with the display names:

  • "Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE) - this service was not installed in testing.
  • "Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

Additional services are installed for the dropped backdoor component. The following display names are used:

  1. ll_reg (set to run TASK688.dll)
  2. NetMeeting Remote Desktop (RPC) Sharing (set to run TASK688.dll)- not observed in testing.

Strings within the worm suggest it is intended to add a hook into the WIN.INI file (as per previous variants - see example hook below) but this was not observed in testing.

[windows]
run=RAVMOND.exe

Parasitic Infection

The virus parasitically infects PE files (on local and network drives) by prepending them with the infector stub (DTWTSN16.EXE), and appending them with a copy of the worm. In this manner a "3-file sandwich" is created:

INFECTOR STUB | ORIGINAL PE | COPY OF THE WORM

Infected files increase in size by 176,648 bytes.

Share propagation

The worm attempts to gain access to the IPC$ share on remote systems by using a dictionary style attack, similarily to the W32/Lovgate.f@M variant.

If successful, the worm copies itself to all accessible shares, using various filenames, for example:

  • Are you looking for Love.doc.exe
  • autoexec.bat
  • The world of lovers.txt.exe
  • How To Hack Websites.exe
  • Panda Titanium Crack.zip.exe
  • Mafia Trainer!!!.exe
  • 100 free essays school.pif
  • AN-YOU-SUCK-IT.txt.pif
  • Sex_For_You_Life.JPG.pif
  • CloneCD + crack.exe
  • Age of empires 2 crack.exe
  • MoviezChannelsInstaler.exe
  • Star Wars II Movie Full Downloader.exe
  • Winrar + crack.exe
  • SIMS FullDownloader.zip.exe
  • MSN Password Hacker and Stealer.exe

Backdoor Component

The worm may drop a trojan component, which is detected by the 4254 DATs and higher as BackDoor-AQJ. The file is multiple packed with Aspack, and so detection requires scanning of compressed files to be enabled. When the worm is run with the -remoteshell parameter, the backdoor opens port 20168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following address is hardcoded as the notification recipient:

  • hello_dll@163.com

(NB: additional email addresses may be used for notification - such addresses can be stored within configuration data and as such may vary)

Information about the infected machine is also sent to the hacker. This information may include the system password.

    Symptoms

    • Presence of files detailed above on the victim machine.
    • Port 20618 open (dropper backdoor component)
    • Increase in size of PE files (+176,648 bytes) upon infection
    • A network share called "GAME" created on C:\WINNT\TEMP folder

    Method of Infection

    This worm spreads via email and network shares.

    Removal

    All Users:
    Use specified engine and DAT files for detection.

    Complete removal requires the 4.2.40 engine.

    As this virus infects executable files parasitically, manual removal is not feasible. The following steps should be taken when repairing an infected system.

    • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
    • Run VirusScan and choose to clean all infected files
    • Restart the computer
    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • WORM_LOVGATE.J

    Characteristics

    Characteristics -

    NB: This variant of W32/Lovgate is proactively detected as W32/Lovgate.gen@M with the 4254 DATs or greater (with scan compressed files enabled). The virus will be specifically identified as W32/Lovgate.j@M with the 4264 DATs.

    This is a new variant of W32/Lovgate. It bears similarities to previous W32/Lovgate variants:

    • it copies itelf over network shares
    • it mails itelf, replying to unread messages in the Microsoft Outlook and Outlook Express inboxes
    • it drops a backdoor component (detected as BackDoor-AQJ)

    However, in addition this variant infects executables on the victim machine (and network shares).

    Email propagation

    The worm replies to unread messages in the Microsoft Outlook and Outlook Express inbox.

    Email messages are constructed as for W32/Lovgate.f@M:

    Subject: Re: Original subject
    Body:

    ======
    original message body
    ======
    sender's domain account auto-reply:

    If you can keep your head when all about you
    Are losing theirs and blaming it on you;
    If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
    If you can wait and not be tired by waiting,
    Or, being lied about,don't deal in lies,
    Or, being hated, don't give way to hating,
    And yet don't look too good, nor talk too wise;
    ... ... more look to the attachment.
    > Get your FREE sender's domain now! <

    Attachment: (one of the following)

    • Britney spears nude.exe.txt.exe
    • Deutsch BloodPatch!.exe
    • dreamweaver MX (crack).exe
    • DSL Modem Uncapper.rar.exe
    • How to Crack all gamez.exe
    • I am For u.doc.exe
    • Industry Giant II.exe
    • joke.pif
    • Macromedia Flash.scr
    • Me_nude.AVI.pif
    • s3msong.MP3.pif
    • SETUP.EXE
    • Sex in Office.rm.scr
    • Shakira.zip.exe
    • StarWars2 - CloneAttack.rm.scr
    • the hardcore game-.pif
    The worm also attempts to harvest email addresses from MAILTO links within *.HT* documents found on the infected system. It sends those recipients one of the following messages:

    Subject: Reply to this!
    Body: For further assistance, please contact!
    Attachment: About_Me.txt.pif
    or
    Subject: Let's Laugh
    Body: Copy of your message, including all the headers is attached.
    Attachment: driver.exe
    or
    Subject: Last Update
    Body: This is the last cumulative update.
    Attachment: Doom3 Preview!!!.exe
    or
    Subject: For you
    Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
    Attachment: enjoy.exe
    or
    Subject: Great
    Body: Send reply if you want to be official beta tester.
    Attachment: YOU_are_FAT!.TXT.pif
    or
    Subject: Help
    Body: This message was created automatically by mail delivery software (Exim).
    Attachment: Source.exe
    or
    Subject: Attached one Gift for u..
    Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
    Attachment: nteresting.exe
    or
    Subject: Hi Dear
    Body: Adult content!!! Use with parental advisory.
    Attachment: README.TXT.pif
    or
    Subject: Hi
    Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
    Attachment: images.pif
    or
    Subject: See the attachement
    Body: Send me your comments...
    Attachment: Pics.ZIP.scr

    Installation

    When executed, the worm drops multiple files on the victim machine, including multiple copies of itself:

    • c:\WINNT\DRWTSN16.EXE (infector stub: 49,152 bytes)
    • c:\WINNT\system32\IEXPLORE.EXE (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\RAVMOND.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\WinDriver.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\WinGate.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\kernel66.dll (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\winexe.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\winrpc.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\winhelp.exe (copy of the worm: 127,488 bytes)
    • c:\WINNT\system32\Task688.dll (dropped BackDoor-AQJ: 59,392 bytes)
    • c:\WINNT\system32\ily668.dll (dropped BackDoor-AQJ: 59,392 bytes)
    • c:\WINNT\system32\reg678.dll (dropped BackDoor-AQJ: 59,392 bytes)
    • c:\WINNT\system32\win32vxd.dll (dropped BackDoor-AQJ: 32,768 bytes)

    In the c:\WINNT\Temp folder, there are also several files whose name begins with a random length and combination of letters, but with the following consistent extensions:

    • .rm.exe
    • .htm.exe
    • .dat.exe
    • .mp3.exe
    • .gif.exe
    • .jpg.exe
    • .doc.exe
    • .avi.exe
    A network share "GAME" is created on the C:\WINNT\Temp folder. The permissions are set to "Everyone-->full control"

    The following registry keys are modified to reflect this share:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
    "GAME" = C:\WINNT\TEMP

    The following Registry keys are added to hook system startup:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    "run" = RAVMOND.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Program In Windows" = C:\WINNT\System32\IEXPLORE.EXE

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Remote Procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "WinGate initialize" = C:\WINNT\System32\WinGate.exe -remoteshell

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "WinHelp" = C:\WINNT\System32\WinHelp.exe

    The following Registry key is modified to hook the execution of text files:

    HKEY_CLASSES_ROOT\txtfile\shell\open\command
    (Default) = "winrpc.exe %1"

    The following Registry key is modified to hook the execution of executable files:

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = C:\WINNT\System32\winexe.exe "%1" %*

    When executed on Windows NT/2000, the worm is intended to install itself as 2 services, with the display names:

    • "Microsoft NetWork FireWall Services" (set to run the copy of the worm with the filename NETSERVICES.EXE) - this service was not installed in testing.
    • "Windows Management Instrumentation Driver Extension" (set to run the copy of the worm with the filename WINDRIVER.EXE)

    Additional services are installed for the dropped backdoor component. The following display names are used:

    1. ll_reg (set to run TASK688.dll)
    2. NetMeeting Remote Desktop (RPC) Sharing (set to run TASK688.dll)- not observed in testing.

    Strings within the worm suggest it is intended to add a hook into the WIN.INI file (as per previous variants - see example hook below) but this was not observed in testing.

    [windows]
    run=RAVMOND.exe

    Parasitic Infection

    The virus parasitically infects PE files (on local and network drives) by prepending them with the infector stub (DTWTSN16.EXE), and appending them with a copy of the worm. In this manner a "3-file sandwich" is created:

    INFECTOR STUB | ORIGINAL PE | COPY OF THE WORM

    Infected files increase in size by 176,648 bytes.

    Share propagation

    The worm attempts to gain access to the IPC$ share on remote systems by using a dictionary style attack, similarily to the W32/Lovgate.f@M variant.

    If successful, the worm copies itself to all accessible shares, using various filenames, for example:

    • Are you looking for Love.doc.exe
    • autoexec.bat
    • The world of lovers.txt.exe
    • How To Hack Websites.exe
    • Panda Titanium Crack.zip.exe
    • Mafia Trainer!!!.exe
    • 100 free essays school.pif
    • AN-YOU-SUCK-IT.txt.pif
    • Sex_For_You_Life.JPG.pif
    • CloneCD + crack.exe
    • Age of empires 2 crack.exe
    • MoviezChannelsInstaler.exe
    • Star Wars II Movie Full Downloader.exe
    • Winrar + crack.exe
    • SIMS FullDownloader.zip.exe
    • MSN Password Hacker and Stealer.exe

    Backdoor Component

    The worm may drop a trojan component, which is detected by the 4254 DATs and higher as BackDoor-AQJ. The file is multiple packed with Aspack, and so detection requires scanning of compressed files to be enabled. When the worm is run with the -remoteshell parameter, the backdoor opens port 20168 on the computer and will send an email notification to the hacker that the computer has been compromised. The following address is hardcoded as the notification recipient:

    • hello_dll@163.com

    (NB: additional email addresses may be used for notification - such addresses can be stored within configuration data and as such may vary)

    Information about the infected machine is also sent to the hacker. This information may include the system password.

      Symptoms

      Symptoms -

      • Presence of files detailed above on the victim machine.
      • Port 20618 open (dropper backdoor component)
      • Increase in size of PE files (+176,648 bytes) upon infection
      • A network share called "GAME" created on C:\WINNT\TEMP folder

      Method of Infection

      Method of Infection -

      This worm spreads via email and network shares.

      Removal -

      Removal -

      All Users:
      Use specified engine and DAT files for detection.

      Complete removal requires the 4.2.40 engine.

      As this virus infects executable files parasitically, manual removal is not feasible. The following steps should be taken when repairing an infected system.

      • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
      • Run VirusScan and choose to clean all infected files
      • Restart the computer
      Additional Windows ME/XP removal considerations

      Variants

      Variants -

        N/A