high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | August 2004 (3.84) |
| Protection available since | 5 July 2004 14:39:57 (GMT) |
| Last updated | 6 August 2004 12:24:05 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Lovgate-F.
More Information
W32/Lovgate-F is a mass mailing and network worm. When started the worm copies itself to the root folder as COMMAND.EXE, to the Windows folder as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE, kernel66.dll (hidden) and RAVMOND.exe.
The worm copies itself to other folders using the following names:
Support Tools.exe
xcopy.exe
Windows Media Player.zip.exe
winhlp32.exe
Documents and Settings.txt.exe
WindowsUpdate.pif
findpass.exe
WinRAR.exe
MSDN.ZIP.pif
mmc.exe
Internet Explorer.bat
Microsoft Office.exe
client.exe
WindowsUpdate.pif
autoexec.bat
i386.exe
Cain.pif
W32/Lovgate-F also attempts to spread via weakly protected remote shares by connecting using passwords from an internal dictionary. This worm can also exploit a vulnerability explained in the Microsoft Knowledge Base article 827363 (Microsoft Security Bulletin MS03-039) to run code with system privileges on remote computers.
This worm can copy itself into remote Windows system folders as NETMANAGER.EXE and execute this file as a service named 'Windows Management Network Service Extensions'. An FTP script named 'a' is created which instructs the remote host to download the worm from the infected machine and execute it.
W32/Lovgate-F spreads by email. Email addresses are harvested from WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. This worm will spoof the sender's email address.
This worm will also attach itself to outgoing email messages using randomly generated names or one of the following:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
W32/Lovgate-F is a mass mailing and network worm. When started the worm copies itself to the root folder as COMMAND.EXE, to the Windows folder as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE, kernel66.dll (hidden) and RAVMOND.exe.
W32/Lovgate-F also creates a file AUTORUN.INF in the root folder and msjdbc11.dll, MSSIGN30.DLL and ODBC16.dll in the Windows system folder (which are detected by Sophos as W32/Lovgate-V).
This worm may also drop itself into the Windows system folder using a random name as well as two FTP server components, SPOLLSV.EXE and NETMEETING.EXE.
In order to auto-start the worm sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = C:\<Windows system>\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Program In Windows = C:\<Windows system>\IEXPLORE.EXE
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
Shell Extension = C:\<Windows system>\spollsv.exe
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = C:\<Windows system>\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\runServices\
COM++ System = suchost.exe
SystemTra = C:\<Windows>\SysTra.EXE
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe
A new INI file named TWAIN_32.DLL may be created in the Windows folder which will contain the following parameter in the Windows section:
run=RAVMOND.exe
The following registry entry may also be changed to execute this worm before opening a text file:
HKCR\txtfile\shell\open\command\
"" =
W32/Lovgate-F will also create the following registry branches:
HKLM\SYSTEM\CurrentControlSet\Services\_reg\
HKLM\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)\
The worm copies itself to other folders using the following names:
Support Tools.exe
xcopy.exe
Windows Media Player.zip.exe
winhlp32.exe
Documents and Settings.txt.exe
WindowsUpdate.pif
findpass.exe
WinRAR.exe
MSDN.ZIP.pif
mmc.exe
Internet Explorer.bat
Microsoft Office.exe
client.exe
WindowsUpdate.pif
autoexec.bat
i386.exe
Cain.pif
W32/Lovgate-F also attempts to spread via weakly protected remote shares by connecting using passwords from an internal dictionary. This worm can also exploit a vulnerability explained in the Microsoft Knowledge Base article 827363 (Microsoft Security Bulletin MS03-039) to run code with system privileges on remote computers.
This worm can copy itself into remote Windows system folders as NETMANAGER.EXE and execute this file as a service named 'Windows Management Network Service Extensions'. An FTP script named 'a' is created which instructs the remote host to download the worm from the infected machine and execute it.
W32/Lovgate-F spreads by email. Email addresses are harvested from WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. This worm will spoof the sender's email address.
This worm will also attach itself to outgoing email messages using randomly generated names or one of the following:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
|
