The termination of the anti-viral processes.
The existence of a shared temporary directory containing files with GAME name and various extensions.
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);
Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.
The BitDefender Antilovgate tool does the following:
it deletes the files created by the virus;
it disinfects the files infected by the virus;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Mihai Chiriac BitDefender Virus Researcher
These are new variants of the Win32.LovGate worm. These versions share functionality and code with the previous versions, but have many new features:
1) Termination of anti-viral processes. The worm enumerates all running programs and checks their names against the following list:
If a process' name matches, it will be terminated.
2) It makes copies of itself with random name and double extension to a temporary directory and shares it under the name GAME. All the files have the .exe extension but some systems may not display it. Instead, a fake extension is displayed : .txt, .jpg, .mp3, .htm, .avi, .doc, .gif, .dat.
3) It tries to hook file execution, by overwriting the registry key
HKEY_CLASSES_ROOT\exefile\shell\open\command. When a file is executed, the worm
gets control and proceeds infecting it.
4) This version of the worm is a fast-infector, as it drops the file Drwtsn16.exe to the
windows directory and spawns it. The spawned process infects the executable files using the FindFirst/FindNext technique.
5) The infection technique is classic, at least for high level language programs : a special temporary file is created, and then a loader, the original file and the worm itself are written to the temporary file. When (and if) the infection process went ok, the worm deletes the original file and replaces it with the infected one.
6) The worm tries to find files matching the .ht[wildcard] and searches for email addresses. Then the worm forges the email message to look like a reply. Then it attaches a copy of itself under one of the names:
I am For u.doc.exe,
Britney spears nude.exe.txt.exe,
DSL Modem Uncapper.rar.exe,
Industry Giant II.exe,
StarWars2 - CloneAttack.rm.scr,
dreamweaver MX (crack).exe,
How to Crack all gamez.exe,
Sex in Office.rm.scr,
the hardcore game-.pif
7) It finds email addresses in user's Inbox folder, and the infected mails sent to those addresses contains the following small poem:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about, don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... more look to the attachment.