Content

W32/Lovgate.x@MM!122880

Type
Virus
SubType
E-mail worm
Discovery Date
05/06/2004
Length
122,880
Minimum DAT
4359 (05/10/2004)
Updated DAT
4359 (05/10/2004)
Minimum Engine
5.1.00
Description Added
05/06/2004
Description Modified
05/11/2004 4:40 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a multiple packed version of W32/Lovgate.x@MM . This will be detected as W32/Lovgate.x@MM  with the 4359 DATS.

Proactive detection:  

  • This virus drops backdoor components which are detected as BackDoor-AQJ since the 4339 DATS.
  • 2 unpacked copies of the worm are dropped which are detected as W32/Lovgate.x@MM since the 4352 DATS.

It bears the following characteristics:

  • Drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)
  • Attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
  • If it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely installs itself as a service on the remote machine.
  • Creates a share on the victim machine (share name "MEDIA").
  • Mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.
  • Renames the extensions of EXE files to ZMX.
  • Terminates certain processes

The backdoor component dropped by this worm is detected as BackDoor-AQJ with the 4339 DATs or greater.

Symptoms

When the worm is executed, various files are dropped on the system. The following are copies of the worm (122,880 bytes):

  • %SysDir%\IEXPLORE.EXE
  • %SysDir%\kernel66.dll
  • %SysDir%\hxdef.exe
  • %SysDir%\RAVMOND.exe
  • %WinDir%\SYSTRA.EXE
  • C:\COMMAND.EXE

An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.

The following 2 files are also dropped into the %Sysdir% folder:

  • Netmeeting.exe
  • Spollsv.exe

Both files are 61, 440  bytes in size (they are not packed).

The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):

  • %SysDir%\msjdbc11.dll
  • %SysDir%\mssign30.dll
  • %SysDir%\odbc16.dll
  • %SysDir%\Lmmib20.dll

A copy of the worm (with a COM, EXE, PIF or SCR extension, and one of the filenames below) in a RAR or ZIP archive may also be added to the root of C:\, for example:

  • c:\pass.RAR
  • c:\bak.zip

The following Registry keys are added in order to run the worm at system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\
    Windows NT\CurrentVersion\Windows
    "run" = RAVMOND.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Hardware Profile" = %SysDir%\hxdef.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Microsoft Netmeeting Associates, Inc." = Netmeeting.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    runServices "SystemTra" = %WinDir%\SysTra.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    runServices "SystemTra" = %Sysdir%\Spollsv.exe

The following key is added to run the backdoor component at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "VFW Encoder/Decoder Settings" =
    RUNDLL32.EXE MSSIGN30.DLL ondll_reg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Protected Storage" =
    RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as services on the victim machine, bearing the following characteristics:

Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Service 2
 Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The following Registry keys house the services information:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows
    Management Protocol v.0 (experimental)

Network Propogation

If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

  • ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

Display name: Windows Management Network Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic

Email propagation

The worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.

Attachment: (Can be any of the following)

  • the hardcore game-.pif
  • ex in Office.rm.scr
  • Deutsch BloodPatch!.exe
  • s3msong.MP3.pif
  • e_nude.AVI.pif
  • How to Crack all gamez.exe
  • Macromedia Flash.scr
  • SETUP.EXE
  • Shakira.zip.exe
  • dreamweaver MX (crack).exe
  • StarWars2 - CloneAttack.rm.scr
  • Industry Giant II.exe
  • DSL Modem Uncapper.rar.exe
  • joke.pif
  • Britney spears nude.exe.txt.exe
  • I am For u.doc.exe

Subject: Re: Original subject

As for contstructing mesages using it's own SMTP engine:

Subject can be any of the following:

  • hi
  • hello
  • Hello
  • Mail transaction Failed
  • mail delivery system
  • Server Report
  • Status

Body of the message could be any of the following:

  • Mail  failed.  For further assistance, please contact!
  • The message contains Unicode characters and has been sent as a binary attachment.
  • It's the long-awaited film version of the Broadway hit. The  message  sent as  a binary attachment.

Attachment: (could be randomly constructed string with the following extensions):

  •  EXE
  •  PIF
  • SCR
  • ZIP

Termination of Processes

It also searches running processes for the following list of strings, and kills those it finds:

  • rising
  • SkyNet
  • Symantec
  • McAfee
  • Gate
  • Rfw.exe
  • RavMon.exe
  • kill
  • NAV
  • Duba
  • KAV
  • KV

The worm looks for EXE files on the system and renames their extensions to *.ZMX.  It then copies itself using the original EXE filename.

e.g., Explorer.exe becomes Explorer.zmx.  Then the worm will copy itself as Explorer.exe so everytime Windows Explorer is invoked the worm will run instead.

Method of Infection

  •   This worm spreads via Email.

  • In attempting to copy itself to poorly secured network shares (IPC$ and ADMIN$), the worm generates a significant amount of network traffic. It scans contiguous IP ranges (on port 445) looking for accessibly shares (brute forces with the usernames/passwords it carries).

Removal

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Users may need to remove the share named Media if the virus created it.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection is for a multiple packed version of W32/Lovgate.x@MM . This will be detected as W32/Lovgate.x@MM  with the 4359 DATS.

Proactive detection:  

  • This virus drops backdoor components which are detected as BackDoor-AQJ since the 4339 DATS.
  • 2 unpacked copies of the worm are dropped which are detected as W32/Lovgate.x@MM since the 4352 DATS.

It bears the following characteristics:

  • Drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)
  • Attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
  • If it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely installs itself as a service on the remote machine.
  • Creates a share on the victim machine (share name "MEDIA").
  • Mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.
  • Renames the extensions of EXE files to ZMX.
  • Terminates certain processes

The backdoor component dropped by this worm is detected as BackDoor-AQJ with the 4339 DATs or greater.

Symptoms

Symptoms -

When the worm is executed, various files are dropped on the system. The following are copies of the worm (122,880 bytes):

  • %SysDir%\IEXPLORE.EXE
  • %SysDir%\kernel66.dll
  • %SysDir%\hxdef.exe
  • %SysDir%\RAVMOND.exe
  • %WinDir%\SYSTRA.EXE
  • C:\COMMAND.EXE

An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.

The following 2 files are also dropped into the %Sysdir% folder:

  • Netmeeting.exe
  • Spollsv.exe

Both files are 61, 440  bytes in size (they are not packed).

The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):

  • %SysDir%\msjdbc11.dll
  • %SysDir%\mssign30.dll
  • %SysDir%\odbc16.dll
  • %SysDir%\Lmmib20.dll

A copy of the worm (with a COM, EXE, PIF or SCR extension, and one of the filenames below) in a RAR or ZIP archive may also be added to the root of C:\, for example:

  • c:\pass.RAR
  • c:\bak.zip

The following Registry keys are added in order to run the worm at system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\
    Windows NT\CurrentVersion\Windows
    "run" = RAVMOND.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Hardware Profile" = %SysDir%\hxdef.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Microsoft Netmeeting Associates, Inc." = Netmeeting.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    runServices "SystemTra" = %WinDir%\SysTra.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    runServices "SystemTra" = %Sysdir%\Spollsv.exe

The following key is added to run the backdoor component at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "VFW Encoder/Decoder Settings" =
    RUNDLL32.EXE MSSIGN30.DLL ondll_reg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Protected Storage" =
    RUNDLL32.EXE MSSIGN30.DLL ondll_reg

The backdoor component is also installed as services on the victim machine, bearing the following characteristics:

Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Service 2
 Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The following Registry keys house the services information:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows
    Management Protocol v.0 (experimental)

Network Propogation

If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

  • ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:

Display name: Windows Management Network Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic

Email propagation

The worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.

Attachment: (Can be any of the following)

  • the hardcore game-.pif
  • ex in Office.rm.scr
  • Deutsch BloodPatch!.exe
  • s3msong.MP3.pif
  • e_nude.AVI.pif
  • How to Crack all gamez.exe
  • Macromedia Flash.scr
  • SETUP.EXE
  • Shakira.zip.exe
  • dreamweaver MX (crack).exe
  • StarWars2 - CloneAttack.rm.scr
  • Industry Giant II.exe
  • DSL Modem Uncapper.rar.exe
  • joke.pif
  • Britney spears nude.exe.txt.exe
  • I am For u.doc.exe

Subject: Re: Original subject

As for contstructing mesages using it's own SMTP engine:

Subject can be any of the following:

  • hi
  • hello
  • Hello
  • Mail transaction Failed
  • mail delivery system
  • Server Report
  • Status

Body of the message could be any of the following:

  • Mail  failed.  For further assistance, please contact!
  • The message contains Unicode characters and has been sent as a binary attachment.
  • It's the long-awaited film version of the Broadway hit. The  message  sent as  a binary attachment.

Attachment: (could be randomly constructed string with the following extensions):

  •  EXE
  •  PIF
  • SCR
  • ZIP

Termination of Processes

It also searches running processes for the following list of strings, and kills those it finds:

  • rising
  • SkyNet
  • Symantec
  • McAfee
  • Gate
  • Rfw.exe
  • RavMon.exe
  • kill
  • NAV
  • Duba
  • KAV
  • KV

The worm looks for EXE files on the system and renames their extensions to *.ZMX.  It then copies itself using the original EXE filename.

e.g., Explorer.exe becomes Explorer.zmx.  Then the worm will copy itself as Explorer.exe so everytime Windows Explorer is invoked the worm will run instead.

Method of Infection

Method of Infection -

  •   This worm spreads via Email.

  • In attempting to copy itself to poorly secured network shares (IPC$ and ADMIN$), the worm generates a significant amount of network traffic. It scans contiguous IP ranges (on port 445) looking for accessibly shares (brute forces with the usernames/passwords it carries).

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Users may need to remove the share named Media if the virus created it.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A