Content

W32/Lovsan.worm.d

Type
Virus
SubType
Internet Worm
Discovery Date
08/18/2003
Length
11,776 bytes (Aspacked)
Minimum DAT
4283 (08/06/2003)
Updated DAT
4323 (02/11/2004)
Minimum Engine
5.1.00
Description Added
08/18/2003
Description Modified
08/18/2003 4:24 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This is a variant of W32/Lovsan.worm. It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).

Specific string content within the worm has been edited, thus modifying filename and Registry key details:

Filename

  • MSPATCH.EXE

Registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Runon "Nonton Antivirus   " = mspatch.exe This is a patch to fixedRPC Problem! Y

The worm has been packed with Aspack.

NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.

Symptoms

Presence of the following file in %WinDir%\System32 directory:

MSPATCH.EXE (11,776 bytes) (worm)

Method of Infection

See W32/Lovsan.worm description.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Blaster.worm.d

Characteristics

Characteristics -

This is a variant of W32/Lovsan.worm. It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).

Specific string content within the worm has been edited, thus modifying filename and Registry key details:

Filename

  • MSPATCH.EXE

Registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Runon "Nonton Antivirus   " = mspatch.exe This is a patch to fixedRPC Problem! Y

The worm has been packed with Aspack.

NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.

Symptoms

Symptoms -

Presence of the following file in %WinDir%\System32 directory:

MSPATCH.EXE (11,776 bytes) (worm)

Method of Infection

Method of Infection -

See W32/Lovsan.worm description.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A