McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lovgate.p (AVP)

• Win32.Lovgate.T (CA Vet)

• WORM_LOVEGATE.Q (Trend)

Characteristics

This detection is for a new variant of W32/Lovgate. It bears the following characteristics:

• drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)
• attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
  
  Such copies of the worm may be enticingly named, or within ZIP or RAR archives. The worm carries a list of typical username/password combinations which it uses in attempting to get write access to remote shares
• if it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely executes itself as a service on the remote machine.
• creates a share on the victim machine (share name "MEDIA").
• mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.

Proactive Detection
This worm is detected as virus or variant W32/Sluter.worm.gen with the 4298 DATs or greater, with scanning of compressed files enabled. Precise detection as W32/Lovgate.r@MM will be provided by the DATs specified above.

The backdoor component dropped by this worm is detected as BackDoor-AQJ with the 4339 DATs or greater.

Symptoms

• Existence of the files/Registry keys detailed here
• In attempting to copy itself to poorly secured network shares (IPC$ and ADMIN$), the worm generates a significant amount of network traffic. It scans contiguous IP ranges (on port 445) looking for accessibly shares (brute forces with the usernames/passwords it carries).

Method of Infection

When the worm is executed, various files are dropped on the system. The following are copies of the worm (97,280 bytes):

• %SysDir%\IEXPLORE.EXE
• %SysDir%\kernel66.dll
• %SysDir%\RAVMOND.exe
• %WinDir%\SYSTRA.EXE
• C:\COMMAND.EXE

An AUTORUN.INF file is also dropped to C:\, intended to run COMMAND.EXE via Windows auto-run feature.

The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ):

• %SysDir%\msjdbc11.dll
• %SysDir%\MSSIGN30.DLL
• %SysDir%\ODBC16.dll

A copy of the worm (with a COM, EXE, PIF or SCR extension, and one of the filenames below) in a RAR or ZIP archive may also be added to the root of C:\, for example:

• c:\pass.RAR
• c:\bak.zip

The following filenames are used by the worm (for the archive and/or the filename of the worm within):

• pass
• bak
• password
• email
• book
• letter
• important
• work

The following Registry keys are added in order to run the worm at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\
  Windows NT\CurrentVersion\Windows
  "run" = RAVMOND.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  runServices "SystemTra" = %WinDir%\SysTra.EXE

The following key is added to run the backdoor component at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "VFW Encoder/Decoder Settings" =
  RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as services on the victim machine, bearing the following characteristics:

Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Service 2
Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The following Registry keys house the services information:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows
  Management Protocol v.0 (experimental)

If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

• ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

Display name: Windows Management Network Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lovgate.p (AVP)

• Win32.Lovgate.T (CA Vet)

• WORM_LOVEGATE.Q (Trend)

Characteristics

Characteristics -

This detection is for a new variant of W32/Lovgate. It bears the following characteristics:

• drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)
• attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
  
  Such copies of the worm may be enticingly named, or within ZIP or RAR archives. The worm carries a list of typical username/password combinations which it uses in attempting to get write access to remote shares
• if it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely executes itself as a service on the remote machine.
• creates a share on the victim machine (share name "MEDIA").
• mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.

Proactive Detection
This worm is detected as virus or variant W32/Sluter.worm.gen with the 4298 DATs or greater, with scanning of compressed files enabled. Precise detection as W32/Lovgate.r@MM will be provided by the DATs specified above.

The backdoor component dropped by this worm is detected as BackDoor-AQJ with the 4339 DATs or greater.

Symptoms

Symptoms -

• Existence of the files/Registry keys detailed here
• In attempting to copy itself to poorly secured network shares (IPC$ and ADMIN$), the worm generates a significant amount of network traffic. It scans contiguous IP ranges (on port 445) looking for accessibly shares (brute forces with the usernames/passwords it carries).

Method of Infection

Method of Infection -

When the worm is executed, various files are dropped on the system. The following are copies of the worm (97,280 bytes):

• %SysDir%\IEXPLORE.EXE
• %SysDir%\kernel66.dll
• %SysDir%\RAVMOND.exe
• %WinDir%\SYSTRA.EXE
• C:\COMMAND.EXE

An AUTORUN.INF file is also dropped to C:\, intended to run COMMAND.EXE via Windows auto-run feature.

The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ):

• %SysDir%\msjdbc11.dll
• %SysDir%\MSSIGN30.DLL
• %SysDir%\ODBC16.dll

A copy of the worm (with a COM, EXE, PIF or SCR extension, and one of the filenames below) in a RAR or ZIP archive may also be added to the root of C:\, for example:

• c:\pass.RAR
• c:\bak.zip

The following filenames are used by the worm (for the archive and/or the filename of the worm within):

• pass
• bak
• password
• email
• book
• letter
• important
• work

The following Registry keys are added in order to run the worm at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\
  Windows NT\CurrentVersion\Windows
  "run" = RAVMOND.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  runServices "SystemTra" = %WinDir%\SysTra.EXE

The following key is added to run the backdoor component at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "VFW Encoder/Decoder Settings" =
  RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as services on the victim machine, bearing the following characteristics:

Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Service 2
Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The following Registry keys house the services information:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows
  Management Protocol v.0 (experimental)

If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

• ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

Display name: Windows Management Network Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A