My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.LovGate.F@mm

HIGH
LOW
107008 bytes
(I-Worm.Supnot.F)

Symptoms

- Files kernel66.dll, Netservices.exe, RAVMOND.exe, WinGate.exe,
WinDriver.exe, WinHelp.exe, winrpc.exe, iky668.dll, reg678.dll,
task688.dll, 111.dll in the Windows System folder.
- Under Windows 9x systems, the worm adds the line "run=ravmond.exe"
to the win.ini file
- The registry key HKLM\\\\\\\\...\\\\\\\\CurrentVersion\\\\\\\\Run contains the values :
"run" = RavMonD.exe
"Program in Windows" = %SYSTEMDIR%\\\\\\\\iexplore.exe
"Remote procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg
"WinGate initialize" = %SYSTEMDIR%\\\\\\\\WinGate.exe -remoteshell
"WinHelp" = %SYSTEMDIR%\\\\\\\\WinHelp.exe
- The registry key HKCR\\\\\\\\txtfile\\\\\\\\shell\\\\\\\\open\\\\\\\\command contains :
"(Default)" = winrpc.exe %1
- The systems listens on TCP port 20168

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.


The BitDefender Antilovgate tool does the following:
  • it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);

  • it deletes the files created by the virus;

  • it disinfects the files infected by the virus;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Mihai Chiriac BitDefender Virus Researcher

    Technical Description:

    This variant is very similar in behaviour with Win32.LovGate.C.
    This is obviously a more evolved variant, bringing new features and also
    enhancing previous features. The differences from the previous version
    are described here.
    The main feature added by this version is a component that logs mouse moves and keyboard strokes, which is also detected by BitDefender as "Win32.LovGate.F". When the worm detects the user entered a password, it sends an email using a second smtp engine, looking like this:
    From : ""
    Subject : "333www"
    Content : a combination of user/password or the string "not find pass!".
    The worm comes as an attachement to email messages, which looks like this :
    Subject: one from the list : Reply to this!, Let\\\\\\\'s Laugh, Last Update, For You, Great, Help, Attached one gift for u..., Hi Dear, Hi, See the attachement.
    Attachment: one from the list : About_me.txt.pif, driver.exe, Doom3 Preview!!!.exe, enjoy.exe, YOU_are_FAT!.TXT.pif, Source.exe, nteresting.exe, readme.txt.pif, images.pif, Pics.ZIP.scr
    Body: "For further assistance, please contact!",
    "Copy of your message, including all the headers is attached.",
    "This is the last cumulative update.",
    "Tiger Woods had two eagles Friday during his victory
    over Stephen Leaney. (AP Photo/Denis Poroy)",
    "Send reply if you want to be official beta tester.",
    "This message was created automatically by mail delivery
    software (Exim).",
    "It\\\\\\\'s the long-awaited film version of the Broadway hit. Set
    in the roaring 20\\\\\\\'s, this is the story of Chicago chorus girl
    Roxie Hart (Zellweger), who shoots her unfaithful lover (West).",
    "Adult content!!! Use with parental advisory.",
    "Patrick Ewing will give Knick fans something to cheer about Friday night.",
    "Send me your comments..."
    Then the worm enumerates local shares, and copies itself to there, with the filenames : 100 free essays school.pif, Age of empires 2 crack.exe, AN-YOU-SUCK-IT.txt.pif, Are you looking for Love.doc.exe, autoexec.bat,
    CloneCD + crack.exe, How To Hack Websites.exe, Mafia Trainer!!!.exe, MoviezChannelsInstaler.exe, MSN Password Hacker and Stealer.exe, Panda Titanium Crack.zip.exe, Sex_For_You_Life.JPG.pif, SIMS FullDownloader.zip.exe, Star Wars II Movie Full Downloader.exe, The world of lovers.txt.exe, Winrar + crack.exe.
    The password list has also changed in this version, for accessing remote shares the worm tries to bruteforce the password using one of the following words:
    0
    1
    7
    12
    110
    111
    123
    321
    1234
    2002
    2003
    2600
    12345
    54321
    111111
    121212
    123123
    123456
    654321
    666666
    888888
    1234567
    11111111
    12345678
    88888888
    123456789
    !@#$
    !@#$%
    !@#$%^
    !@#$%^&
    !@#$%^&*
    123abc
    123asd
    a
    aaa
    abc
    abc123
    abcd
    abcdef
    abcdefg
    Admin
    admin
    admin123
    administrator
    alpha
    asdf
    asdfgh
    computer
    database
    enable
    god
    godblessyou
    guest
    home
    Internet
    login
    Login
    love
    mypass
    mypass123
    mypc
    mypc123
    oracle
    owner
    pass
    passwd
    Password
    password
    pc
    pw
    pw123
    pwd
    root
    secret
    server
    sex
    sql
    super
    sybase
    temp
    temp123
    test
    test123
    win
    xp
    xxx
    yxcv
    zxcv