Content
W32/Lovgate.ab@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 05/14/2004
- Length
- 118,272 bytes (packed)
108,544 bytes (packed) - Minimum DAT
- 4361 (05/18/2004)
- Updated DAT
- 4907 (11/29/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 05/14/2004
- Description Modified
- 06/15/2006 12:54 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update May 18, 2004 --
The risk assessment of this threat has been upgraded to Medium due to an increase in prevalence.
| If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
-- Update May 18, 2004 --
Another repackage of this W32/Lovgate variant has been received. This is functionally the same as that decribed below, but the file size is now 108,544 bytes (file is multiply packed).
Again, the backdoor component this variant drops is already detected as BackDoor-AQJ since the 4339 DATs.
--
This new variant of W32/Lovgate is packed multiple times.
Proactive detection:
The dropped backdoor component (multiple copies of the same file) is detected as BackDoor-AQJ since the 4339 DATS.
Like its predecessors, this worm bears the following characteristics:
- drops a backdoor component
- attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
- creates a share on the victim machine (share name "MEDIA").
- mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
- performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
- terminates processes associated with various AV and security products
Symptoms
When the worm is executed, various files are dropped on the system. The following are copies of the worm (118,272 bytes):
- %WinDir%\System32\IEXPLORE.EXE
- %WinDir%\System32\KERNEL66.DLL
- %WinDir%\System32\RAVMOND.exe
- %WinDir%\SYSTRA.EXE
- C:\COMMAND.EXE
An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.
The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):
- %WinDir%\System32\MSJDBC11.DLL
- %WinDir%\System32\MSSIGN30.DLL
- %WinDir%\System32\ODBC16.DLL
- %WinDir%\System32\LMMIB20.DLL
A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have various filenames, for example:
- password
- book
- letter
- bak
- work
- Important
The following Registry keys are added in order to run the worm at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows "run" = RAVMOND.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Program In Windows" = %SysDir%\IEXPLORE.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "SystemTra" = %WinDir%\SYSTRA.EXE
The following keys are added to run the backdoor component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:
Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
Service 2
Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
The following Registry keys house the services information:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)
Termination of Processes
The worm terminates any running processes that match one of the following strings:
- rising
- SkyNet
- Symantec
- McAfee
- Gate
- Rfw.exe
- RavMon.exe
- kill
- NAV
- Duba
- KAV
- KV
Method of Infection
Email propagation
This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI.
When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries.
The From: address is spoofed. It may be one of the harvested email addresses, or constructed using random characters or one of the following forenames the worm carries, followed by a domain:
- sandra
- linda
- julie
- jimmy
- jerry
- helen
- debby
- claudia
- brenda
- anna
- alice
- brent
- adam
- ted
- fred
- jack
- bill
- stan
- smith
- steve
- matt
- dave
- dan
- joe
- jane
- bob
- robert
- peter
- tom
- ray
- mary
- serg
- brian
- jim
- maria
- leo
- jose
- andrew
- sam
- george
- david
- kevin
- mike
- james
- michael
- alex
- john
The message may be constructed with various subject and message bodies. The attachment is as described below.
Attachent: The worm may be attached with one of the following file extensions;
- EXE
- SCR
- PIF
- CMD
- BAT
Additionally, the attachment may be a copy of the worm within a ZIP archive (with either a RAR or ZIP extension). In this case, the worm within the archive may have a double extension, which may contain many spaces (eg. .HTM .EXE).
The worm will attempt to do a DNS query for potential SMTP servers it can use to send the message. It bases these on the domain for target email address, prepending the following for the DNS query:
- gate.
- ns.
- relay.
- mail1.
- mxs.
- mx1.
- smtp.
- mail.
- mx.
Additionally, the worm can also reply to unread messages in Microsoft Outlook and Outlook Express inboxes (using MAPI). It deletes the messages after responding to them. Messages are formatted as follows:
Subject: Re: (original subject)
Attachment: Can be any of the following:
- the hardcore game-.pif
- Sex in Office.rm.scr
- Deutsch BloodPatch!.exe
- s3msong.MP3.pif
- Me_nude.AVI.pif
- How to Crack all gamez.exe
- Macromedia Flash.scr
- SETUP.EXE
- Shakira.zip.exe
- dreamweaver MX (crack).exe
- StarWars2 - CloneAttack.rm.scr
- Industry Giant II.exe
- DSL Modem Uncapper.rar.exe
- joke.pif
- Britney spears nude.exe.txt.exe
- I am For u.doc.exe
P2P/Folder Propogation
The worm copies itself to directories using the following filenames (peer to peer applications such as KaZaa and Limewire may be using such folders as shared folders therefore making the virus accessible to others):
- Thank you.doc.exe
- 3D Flash Animator.rar.bat
- SWF Browser2.93.txt.exe
- Download.exe
- Panda Crack.zip.exe
- WinRAR V3.2.0 Beta 2.exe
- Swish2.00.pif
- AAdobe Photoshop7.0 creak.pif
- You_Life.JPG.pif
- CloneCD crack.exe
- WinZip v9.0 Beta Build 5480 crack.exe
- Real-DRAW PRO v3.10.exe
- Star Wars Downloader.exe
- HyperSnap-DX v5.20.01.exe
- Adobe Photoshop6.0.zip.exe
- HyperSnap-DX v4.51.01.exe
Network Propogation
The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
and remotely executing it as a service. The service bears the following characteristics:
Display name: Windows Management NetWork Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic
Companion virus infection
The worm replaces EXE files (on mapped network drives) with a copy of itself, and renames the original file with a .ZMX extension.
Removal
All Users
Use the specified DAT files
for detection and removal.
Stinger
Stinger
has been updated to include detection and removal of this threat.
Additional Windows ME/XP removal considerations
McAfee Threatscan
ThreatScan signatures that can detect the
W32/Lovgate.ab
virus are available from:
- Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
- Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-05-19
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or- - Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4074
ThreatScan users can proactively detect systems vulnerable to remote infection by this virus by running a Resource Discovery Task with the "Windows Open Share" option enabled, and looking for accesible IPC$ or ADMIN$ shares. Note that a share named "MEDIA" may be a symptom of an infected machine.
McAfee System Compliance Profiler
Create a rule that matches a registry key
- Select HKEY_LOCAL_MACHINE from the drop-down box
- Next to the drop-down box, enter SYSTEM\CurrentControlSet\Services\_reg
- Skip the next field
- In the next drop-down box, select "Registry key does not exist"
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.LovGate.ac (Kaspersky)
- LoveGate.AL Worm (iDefense)
- W32.Lovgate.W@mm (Symantec)
- W32/Lovgate-AB (Sophos)
- W32/Lovgate.ab@MM!zip
- Win32.HLLM.Lovgate.8 (Dialogue Science)
- Win32.Lovgate.AF (CA VET)
- WORM_LOVGATE.AB (Trend)
Characteristics
Characteristics -
-- Update May 18, 2004 --
The risk assessment of this threat has been upgraded to Medium due to an increase in prevalence.
| If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
-- Update May 18, 2004 --
Another repackage of this W32/Lovgate variant has been received. This is functionally the same as that decribed below, but the file size is now 108,544 bytes (file is multiply packed).
Again, the backdoor component this variant drops is already detected as BackDoor-AQJ since the 4339 DATs.
--
This new variant of W32/Lovgate is packed multiple times.
Proactive detection:
The dropped backdoor component (multiple copies of the same file) is detected as BackDoor-AQJ since the 4339 DATS.
Like its predecessors, this worm bears the following characteristics:
- drops a backdoor component
- attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
- creates a share on the victim machine (share name "MEDIA").
- mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
- performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
- terminates processes associated with various AV and security products
Symptoms
Symptoms -
When the worm is executed, various files are dropped on the system. The following are copies of the worm (118,272 bytes):
- %WinDir%\System32\IEXPLORE.EXE
- %WinDir%\System32\KERNEL66.DLL
- %WinDir%\System32\RAVMOND.exe
- %WinDir%\SYSTRA.EXE
- C:\COMMAND.EXE
An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.
The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):
- %WinDir%\System32\MSJDBC11.DLL
- %WinDir%\System32\MSSIGN30.DLL
- %WinDir%\System32\ODBC16.DLL
- %WinDir%\System32\LMMIB20.DLL
A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have various filenames, for example:
- password
- book
- letter
- bak
- work
- Important
The following Registry keys are added in order to run the worm at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows "run" = RAVMOND.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Program In Windows" = %SysDir%\IEXPLORE.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "SystemTra" = %WinDir%\SYSTRA.EXE
The following keys are added to run the backdoor component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:
Service 1
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
Service 2
Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
The following Registry keys house the services information:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)
Termination of Processes
The worm terminates any running processes that match one of the following strings:
- rising
- SkyNet
- Symantec
- McAfee
- Gate
- Rfw.exe
- RavMon.exe
- kill
- NAV
- Duba
- KAV
- KV
Method of Infection
Method of Infection -
Email propagation
This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI.
When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries.
The From: address is spoofed. It may be one of the harvested email addresses, or constructed using random characters or one of the following forenames the worm carries, followed by a domain:
- sandra
- linda
- julie
- jimmy
- jerry
- helen
- debby
- claudia
- brenda
- anna
- alice
- brent
- adam
- ted
- fred
- jack
- bill
- stan
- smith
- steve
- matt
- dave
- dan
- joe
- jane
- bob
- robert
- peter
- tom
- ray
- mary
- serg
- brian
- jim
- maria
- leo
- jose
- andrew
- sam
- george
- david
- kevin
- mike
- james
- michael
- alex
- john
The message may be constructed with various subject and message bodies. The attachment is as described below.
Attachent: The worm may be attached with one of the following file extensions;
- EXE
- SCR
- PIF
- CMD
- BAT
Additionally, the attachment may be a copy of the worm within a ZIP archive (with either a RAR or ZIP extension). In this case, the worm within the archive may have a double extension, which may contain many spaces (eg. .HTM .EXE).
The worm will attempt to do a DNS query for potential SMTP servers it can use to send the message. It bases these on the domain for target email address, prepending the following for the DNS query:
- gate.
- ns.
- relay.
- mail1.
- mxs.
- mx1.
- smtp.
- mail.
- mx.
Additionally, the worm can also reply to unread messages in Microsoft Outlook and Outlook Express inboxes (using MAPI). It deletes the messages after responding to them. Messages are formatted as follows:
Subject: Re: (original subject)
Attachment: Can be any of the following:
- the hardcore game-.pif
- Sex in Office.rm.scr
- Deutsch BloodPatch!.exe
- s3msong.MP3.pif
- Me_nude.AVI.pif
- How to Crack all gamez.exe
- Macromedia Flash.scr
- SETUP.EXE
- Shakira.zip.exe
- dreamweaver MX (crack).exe
- StarWars2 - CloneAttack.rm.scr
- Industry Giant II.exe
- DSL Modem Uncapper.rar.exe
- joke.pif
- Britney spears nude.exe.txt.exe
- I am For u.doc.exe
P2P/Folder Propogation
The worm copies itself to directories using the following filenames (peer to peer applications such as KaZaa and Limewire may be using such folders as shared folders therefore making the virus accessible to others):
- Thank you.doc.exe
- 3D Flash Animator.rar.bat
- SWF Browser2.93.txt.exe
- Download.exe
- Panda Crack.zip.exe
- WinRAR V3.2.0 Beta 2.exe
- Swish2.00.pif
- AAdobe Photoshop7.0 creak.pif
- You_Life.JPG.pif
- CloneCD crack.exe
- WinZip v9.0 Beta Build 5480 crack.exe
- Real-DRAW PRO v3.10.exe
- Star Wars Downloader.exe
- HyperSnap-DX v5.20.01.exe
- Adobe Photoshop6.0.zip.exe
- HyperSnap-DX v4.51.01.exe
Network Propogation
The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
and remotely executing it as a service. The service bears the following characteristics:
Display name: Windows Management NetWork Service Extensions
ImagePath: NetManager.exe -exe_start
Startup: Automatic
Companion virus infection
The worm replaces EXE files (on mapped network drives) with a copy of itself, and renames the original file with a .ZMX extension.
Removal -
Removal -
All Users
Use the specified DAT files
for detection and removal.
Stinger
Stinger
has been updated to include detection and removal of this threat.
Additional Windows ME/XP removal considerations
McAfee Threatscan
ThreatScan signatures that can detect the
W32/Lovgate.ab
virus are available from:
- Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
- Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-05-19
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or- - Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4074
ThreatScan users can proactively detect systems vulnerable to remote infection by this virus by running a Resource Discovery Task with the "Windows Open Share" option enabled, and looking for accesible IPC$ or ADMIN$ shares. Note that a share named "MEDIA" may be a symptom of an infected machine.
McAfee System Compliance Profiler
Create a rule that matches a registry key
- Select HKEY_LOCAL_MACHINE from the drop-down box
- Next to the drop-down box, enter SYSTEM\CurrentControlSet\Services\_reg
- Skip the next field
- In the next drop-down box, select "Registry key does not exist"
Variants
Variants -
N/A
