Content
W32/Lovgate.ad@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 07/01/2004
- Length
- 152,064 bytes
- Minimum DAT
- 4372 (07/02/2004)
- Updated DAT
- 4907 (11/29/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 07/02/2004
- Description Modified
- 08/16/2004 12:48 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update August 16th, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--
-- Update 2nd July, 2004 --
The risk assessment of this threat has been upgraded to medium due to an increase in prevalence.
| If you think that you may be infected with this threat, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
--
This new variant of W32/Lovgate is packed multiple times.
Again, the backdoor component this variant drops is already detected as BackDoor-AQJ
since the 4339 DATs.
Like its predecessors, this worm bears the following characteristics:
- drops a backdoor component
- attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
- creates a share on the victim machine (share name "MEDIA").
- mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
- performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
- terminates processes associated with various AV and security products
This variant also uses the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026 in order to infect other machines on the network.
Symptoms
When the worm is executed, various files are dropped on the system. The following are copies of the worm (152,064 bytes):
- %WinDir%\System32\IEXPLORE.EXE
- %WinDir%\System32\KERNEL66.DLL
- %WinDir%\System32\RAVMOND.exe
- %WinDir%\System32\HXDEF.EXE
- %WinDir%\System32\UPDATE_OB.EXE
- %WinDir%\System32\TKBELLEXE.EXE
- %WinDir%\SYSTRA.EXE
- %WinDir%\SVCHOST.EXE.EXE
- C:\COMMAND.EXE
An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.
The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):
- %WinDir%\System32\MSJDBC11.DLL
- %WinDir%\System32\MSSIGN30.DLL
- %WinDir%\System32\ODBC16.DLL
- %WinDir%\System32\LMMIB20.DLL
A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have various filenames, for example:
- password
- book
- letter
- bak
- work
- Important
The following Registry keys are added in order to run the worm at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows "run" = RAVMOND.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Hardware Profile" = %SysDir%\HXDEF.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "WinHelp" = %SysDir%\IEXPLORE.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
The following Registry key is created so that the worm starts an additional Service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "SystemTra" = %WinDir%\SYSTRA.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "COMM++System" = %WinDir%\SVCHOST.EXE
The following keys are added to run the backdoor component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:
Service 1
Display name:
_reg
ImagePath:
Rundll32.exe msjdbc11.dll ondll_server
Startup:
automatic
Service 2
Display name:
Windows Management Protocol v.0 (experimental)
Description:
Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath:
Rundll32.exe msjdbc11.dll ondll_server
Startup:
automatic
The following Registry keys house the services information:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)
Companion virus infection
The worm replaces EXE files (on mapped network drives) with a copy of itself, and renames the original file with a .ZMX extension.
Termination of Processes
It also searches running processes for the following list of strings, and kills those it finds:
- rising
- SkyNet
- Symantec
- McAfee
- Gate
- Rfw.exe
- RavMon.exe
- kill
- Duba
Method of Infection
mail propagation
This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI.
When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries.
The worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.
Subject:
Re: Original subject
Body:
======
original message body
======
Mail
auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE YAHOO.COM Mail now! <
As for contstructing mesages using it's own SMTP engine:
Subject can be any of the following:
- hi
- hello
- Hello
- Mail transaction Failed
- mail delivery system
Body of the message could be any of the following:
- Mail failed. For further assistance, please contact!
- The message contains Unicode characters and has been sent as a binary attachment.
- It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
Attachment: (could be randomly constructed string with the following extensions):
- EXE
- PIF
- SCR
- ZIP
Network Propogation
The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
and remotely executing it as a service. The service bears the following characteristics:
Display name:
Windows Management NetWork Service Extensions
ImagePath:
NetManager.exe -exe_start
Startup:
Automatic
It will attempt to gain access to computers on the network by logging in as an Administrator and using any of the following passwords:
- Guest
- Administrator
- zxcv
- yxcv
- test123
- test
- temp123
- temp
- sybase
- super
- secret
- pw123
- Password
- owner
- oracle
- mypc123
- mypc
- mypass123
- mypass
- love
- login
- Login
- Internet
- home
- godblessyou
- enable
- database
- computer
- alpha
- admin123
- Admin
- abcd
- 88888888
- 2600
- 2004
- 2003
- 123asd
- 123abc
- 123456789
- 1234567
- 123123
- 121212
- 11111111
- 00000000
- 000000
- pass
- 54321
- 12345
- password
- passwd
- server
- asdfgh
- asdf
- 1234
- root
- abc123
- 12345678
- abcdefg
- abcdef
- 888888
- 666666
- 111111
- admin
- administrator
- guest
- 654321
- 123456
It Creates a network share, "Media," and drops the following files into C:\%Windir%\Media\
- WinRAR.exe
- Internet Explorer.bat
- Documents and Settings.txt.exe
- Microsoft Office.exe
- Windows Media Player.zip.exe
- Support Tools.exe
- Window
- Update.pif
- Cain.pif
- MSDN.ZIP.pif
- autoexec.bat
- findpass.exe
- client.exe
- i386.exe
- winhlp32.exe
- xcopy.exe
- mmc.exe
RPCDCOM Exploit
When the worm is initially executed it drops 2 files (61,440 bytes) into the %WinDir%\System32\ folder as:
- SPOLLSV.EXE (detected as W32/Lovgate.x@MM since 4352 Dats).
- NETMEETING.EXE (detected as W32/Lovgate.x@MM since 4352 Dats).
These files are FTP server components which run a script to download a file called HXDEF.EXE which is a copy of the worm itself. The worm is automatically executed after it has been downloaded.
The worm uses the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026 to propagate to vulnerable machines on the network. It creates an FTP script ('a') on the remote host and executes FTP.EXE. The FTP script instructs the target victim to download and execute the worm (with the filename HXDEF.EXE) from the infected host.
The following registry key is created so that the file Netmeeting.exe is executed at startup.
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Microsoft NetMeeting Associates, Inc." = NetMeeting.exe
Removal
All Users
:
Use current engine and DAT files
for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Stinger
Stinger
has been updated to include detection and removal of this threat.
Sniffer Customers
Filters have been developed that will look for Lovgate.ad traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].
McAfee System Compliance Profiler:
Create a registry rule
- In the drop-down box, select HKEY_LOCAL_MACHINE
- In the next field, type in the path
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - In the next field, type in the name WinHelp
- In the next drop-down box, select "Registry value does not exists"
McAfee Threatscan:
ThreatScan signatures that can detect the W32/Lovgate.ad virus are available from:
- Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
- Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-07-02
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or- - Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4076
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.Lovgate.ae (AVP)
- W32.Lovgate.Y@mm (SYMANTEC)
- WORM_LOVGATE.Y (Trend)
Characteristics
Characteristics -
-- Update August 16th, 2004 --
The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--
-- Update 2nd July, 2004 --
The risk assessment of this threat has been upgraded to medium due to an increase in prevalence.
| If you think that you may be infected with this threat, and are unsure how to check your system, you may
download the Stinger tool
to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. |
--
This new variant of W32/Lovgate is packed multiple times.
Again, the backdoor component this variant drops is already detected as BackDoor-AQJ
since the 4339 DATs.
Like its predecessors, this worm bears the following characteristics:
- drops a backdoor component
- attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
- creates a share on the victim machine (share name "MEDIA").
- mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
- performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
- terminates processes associated with various AV and security products
This variant also uses the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026 in order to infect other machines on the network.
Symptoms
Symptoms -
When the worm is executed, various files are dropped on the system. The following are copies of the worm (152,064 bytes):
- %WinDir%\System32\IEXPLORE.EXE
- %WinDir%\System32\KERNEL66.DLL
- %WinDir%\System32\RAVMOND.exe
- %WinDir%\System32\HXDEF.EXE
- %WinDir%\System32\UPDATE_OB.EXE
- %WinDir%\System32\TKBELLEXE.EXE
- %WinDir%\SYSTRA.EXE
- %WinDir%\SVCHOST.EXE.EXE
- C:\COMMAND.EXE
An AUTORUN.INF file is also dropped in the root of all drives intended to run COMMAND.EXE via Windows auto-run feature.
The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ since 4339 DATS):
- %WinDir%\System32\MSJDBC11.DLL
- %WinDir%\System32\MSSIGN30.DLL
- %WinDir%\System32\ODBC16.DLL
- %WinDir%\System32\LMMIB20.DLL
A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have various filenames, for example:
- password
- book
- letter
- bak
- work
- Important
The following Registry keys are added in order to run the worm at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows "run" = RAVMOND.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Hardware Profile" = %SysDir%\HXDEF.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "WinHelp" = %SysDir%\IEXPLORE.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
The following Registry key is created so that the worm starts an additional Service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "SystemTra" = %WinDir%\SYSTRA.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
runServices "COMM++System" = %WinDir%\SVCHOST.EXE
The following keys are added to run the backdoor component at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:
Service 1
Display name:
_reg
ImagePath:
Rundll32.exe msjdbc11.dll ondll_server
Startup:
automatic
Service 2
Display name:
Windows Management Protocol v.0 (experimental)
Description:
Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath:
Rundll32.exe msjdbc11.dll ondll_server
Startup:
automatic
The following Registry keys house the services information:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)
Companion virus infection
The worm replaces EXE files (on mapped network drives) with a copy of itself, and renames the original file with a .ZMX extension.
Termination of Processes
It also searches running processes for the following list of strings, and kills those it finds:
- rising
- SkyNet
- Symantec
- McAfee
- Gate
- Rfw.exe
- RavMon.exe
- kill
- Duba
Method of Infection
Method of Infection -
mail propagation
This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI.
When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries.
The worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.
Subject:
Re: Original subject
Body:
======
original message body
======
Mail
auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE YAHOO.COM Mail now! <
As for contstructing mesages using it's own SMTP engine:
Subject can be any of the following:
- hi
- hello
- Hello
- Mail transaction Failed
- mail delivery system
Body of the message could be any of the following:
- Mail failed. For further assistance, please contact!
- The message contains Unicode characters and has been sent as a binary attachment.
- It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
Attachment: (could be randomly constructed string with the following extensions):
- EXE
- PIF
- SCR
- ZIP
Network Propogation
The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
and remotely executing it as a service. The service bears the following characteristics:
Display name:
Windows Management NetWork Service Extensions
ImagePath:
NetManager.exe -exe_start
Startup:
Automatic
It will attempt to gain access to computers on the network by logging in as an Administrator and using any of the following passwords:
- Guest
- Administrator
- zxcv
- yxcv
- test123
- test
- temp123
- temp
- sybase
- super
- secret
- pw123
- Password
- owner
- oracle
- mypc123
- mypc
- mypass123
- mypass
- love
- login
- Login
- Internet
- home
- godblessyou
- enable
- database
- computer
- alpha
- admin123
- Admin
- abcd
- 88888888
- 2600
- 2004
- 2003
- 123asd
- 123abc
- 123456789
- 1234567
- 123123
- 121212
- 11111111
- 00000000
- 000000
- pass
- 54321
- 12345
- password
- passwd
- server
- asdfgh
- asdf
- 1234
- root
- abc123
- 12345678
- abcdefg
- abcdef
- 888888
- 666666
- 111111
- admin
- administrator
- guest
- 654321
- 123456
It Creates a network share, "Media," and drops the following files into C:\%Windir%\Media\
- WinRAR.exe
- Internet Explorer.bat
- Documents and Settings.txt.exe
- Microsoft Office.exe
- Windows Media Player.zip.exe
- Support Tools.exe
- Window
- Update.pif
- Cain.pif
- MSDN.ZIP.pif
- autoexec.bat
- findpass.exe
- client.exe
- i386.exe
- winhlp32.exe
- xcopy.exe
- mmc.exe
RPCDCOM Exploit
When the worm is initially executed it drops 2 files (61,440 bytes) into the %WinDir%\System32\ folder as:
- SPOLLSV.EXE (detected as W32/Lovgate.x@MM since 4352 Dats).
- NETMEETING.EXE (detected as W32/Lovgate.x@MM since 4352 Dats).
These files are FTP server components which run a script to download a file called HXDEF.EXE which is a copy of the worm itself. The worm is automatically executed after it has been downloaded.
The worm uses the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026 to propagate to vulnerable machines on the network. It creates an FTP script ('a') on the remote host and executes FTP.EXE. The FTP script instructs the target victim to download and execute the worm (with the filename HXDEF.EXE) from the infected host.
The following registry key is created so that the file Netmeeting.exe is executed at startup.
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Microsoft NetMeeting Associates, Inc." = NetMeeting.exe
Removal -
Removal -
All Users
:
Use current engine and DAT files
for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Stinger
Stinger
has been updated to include detection and removal of this threat.
Sniffer Customers
Filters have been developed that will look for Lovgate.ad traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].
McAfee System Compliance Profiler:
Create a registry rule
- In the drop-down box, select HKEY_LOCAL_MACHINE
- In the next field, type in the path
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - In the next field, type in the name WinHelp
- In the next drop-down box, select "Registry value does not exists"
McAfee Threatscan:
ThreatScan signatures that can detect the W32/Lovgate.ad virus are available from:
- Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
- Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-07-02
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
-or- - Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4076
Variants
Variants -
N/A
