- Files kernel66.dll, Netservices.exe, RAVMOND.exe, WinGate.exe,
WinDriver.exe, WinHelp.exe, winrpc.exe, iky668.dll, reg678.dll,
task688.dll, 111.dll in the Windows System folder.
- Under Windows 9x systems, the worm adds the line "run=ravmond.exe"
to the win.ini file
- The registry key HKLM\\\\\\\\...\\\\\\\\CurrentVersion\\\\\\\\Run contains the values :
"run" = RavMonD.exe
"Program in Windows" = %SYSTEMDIR%\\\\\\\\iexplore.exe
"Remote procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg
"WinGate initialize" = %SYSTEMDIR%\\\\\\\\WinGate.exe -remoteshell
"WinHelp" = %SYSTEMDIR%\\\\\\\\WinHelp.exe
- The registry key HKCR\\\\\\\\txtfile\\\\\\\\shell\\\\\\\\open\\\\\\\\command contains :
"(Default)" = winrpc.exe %1
- The systems listens on TCP port 20168
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);
Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.
The BitDefender Antilovgate tool does the following:
it deletes the files created by the virus;
it disinfects the files infected by the virus;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Mihai Chiriac BitDefender Virus Researcher
This variant is very similar in behaviour with Win32.LovGate.C.
This is obviously a more evolved variant, bringing new features and also
enhancing previous features. The differences from the previous version
are described here.
The main feature added by this version is a component that logs mouse moves and keyboard strokes, which is also detected by BitDefender as "Win32.LovGate.F". When the worm detects the user entered a password, it sends an email using a second smtp engine, looking like this:
From : ""
Subject : "333www"
Content : a combination of user/password or the string "not find pass!".
The worm comes as an attachement to email messages, which looks like this :
Subject: one from the list : Reply to this!, Let\\\\\\\'s Laugh, Last Update, For You, Great, Help, Attached one gift for u..., Hi Dear, Hi, See the attachement.
Attachment: one from the list : About_me.txt.pif, driver.exe, Doom3 Preview!!!.exe, enjoy.exe, YOU_are_FAT!.TXT.pif, Source.exe, nteresting.exe, readme.txt.pif, images.pif, Pics.ZIP.scr
Body: "For further assistance, please contact!",
"Copy of your message, including all the headers is attached.",
"This is the last cumulative update.",
"Tiger Woods had two eagles Friday during his victory
over Stephen Leaney. (AP Photo/Denis Poroy)",
"Send reply if you want to be official beta tester.",
"This message was created automatically by mail delivery
"It\\\\\\\'s the long-awaited film version of the Broadway hit. Set
in the roaring 20\\\\\\\'s, this is the story of Chicago chorus girl
Roxie Hart (Zellweger), who shoots her unfaithful lover (West).",
"Adult content!!! Use with parental advisory.",
"Patrick Ewing will give Knick fans something to cheer about Friday night.",
"Send me your comments..."
Then the worm enumerates local shares, and copies itself to there, with the filenames : 100 free essays school.pif, Age of empires 2 crack.exe, AN-YOU-SUCK-IT.txt.pif, Are you looking for Love.doc.exe, autoexec.bat,
CloneCD + crack.exe, How To Hack Websites.exe, Mafia Trainer!!!.exe, MoviezChannelsInstaler.exe, MSN Password Hacker and Stealer.exe, Panda Titanium Crack.zip.exe, Sex_For_You_Life.JPG.pif, SIMS FullDownloader.zip.exe, Star Wars II Movie Full Downloader.exe, The world of lovers.txt.exe, Winrar + crack.exe.
The password list has also changed in this version, for accessing remote shares the worm tries to bruteforce the password using one of the following words: