My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.LovGate.G/H/J/K@mm

HIGH
MEDIUM
127488 bytes
(I-Worm.Supnot)

Symptoms

  • The termination of the anti-viral processes.
  • The existence of a shared temporary directory containing files with GAME name and various extensions.
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the
    tool (including the antivirus shields) and to restart the computer afterwards.
    Additionally you'll have to manually delete the infected files located in archives
    and the infected messages from your mail client.


    The BitDefender Antilovgate tool does the following:
  • it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);

  • it deletes the files created by the virus;

  • it disinfects the files infected by the virus;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Mihai Chiriac BitDefender Virus Researcher

    Technical Description:

    These are new variants of the Win32.LovGate worm. These versions share functionality and code with the previous versions, but have many new features:

    1) Termination of anti-viral processes. The worm enumerates all running programs and checks their names against the following list:

    KV
    KAV
    Duba
    NAV
    kill
    RavMon.exe
    Rfw.exe
    Gate
    McAfee
    Symantec
    SkyNet
    rising

    If a process' name matches, it will be terminated.

    2) It makes copies of itself with random name and double extension to a temporary directory and shares it under the name GAME. All the files have the .exe extension but some systems may not display it. Instead, a fake extension is displayed : .txt, .jpg, .mp3, .htm, .avi, .doc, .gif, .dat.

    3) It tries to hook file execution, by overwriting the registry key
    HKEY_CLASSES_ROOT\exefile\shell\open\command. When a file is executed, the worm
    gets control and proceeds infecting it.

    4) This version of the worm is a fast-infector, as it drops the file Drwtsn16.exe to the
    windows directory and spawns it. The spawned process infects the executable files using the FindFirst/FindNext technique.

    5) The infection technique is classic, at least for high level language programs : a special temporary file is created, and then a loader, the original file and the worm itself are written to the temporary file. When (and if) the infection process went ok, the worm deletes the original file and replaces it with the infected one.

    6) The worm tries to find files matching the .ht[wildcard] and searches for email addresses. Then the worm forges the email message to look like a reply. Then it attaches a copy of itself under one of the names:
    I am For u.doc.exe,
    Britney spears nude.exe.txt.exe,
    joke.pif,
    DSL Modem Uncapper.rar.exe,
    Industry Giant II.exe,
    StarWars2 - CloneAttack.rm.scr,
    dreamweaver MX (crack).exe,
    Shakira.zip.exe,
    SETUP.EXE,
    Macromedia Flash.scr,
    How to Crack all gamez.exe,
    Me_nude.AVI.pif,
    s3msong.MP3.pif,
    Deutsch BloodPatch!.exe,
    Sex in Office.rm.scr,
    the hardcore game-.pif

    7) It finds email addresses in user's Inbox folder, and the infected mails sent to those addresses contains the following small poem:
    If you can keep your head when all about you
    Are losing theirs and blaming it on you;
    If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
    If you can wait and not be tired by waiting,
    Or, being lied about, don't deal in lies,
    Or, being hated, don't give way to hating,
    And yet don't look too good, nor talk too wise;
    ... more look to the attachment.