- Files winrpc.exe, syshelp.exe, WinRpcSrv.exe, WinGate.exe, rpcsrv.exe, iky.dll, task.dll, 1.dll in the Windows System folder.
- Under Windows 9x systems, the worm adds the line "run=rpcsrv.exe" to the win.ini file
- The registry key HKLM\...\CurrentVersion\Run contains the values:
WinGate initialize %system%\WinGate.exe -remoteshell
Module Call initialize RUNDLL32.EXE reg.dll ondll_reg
- The registry key HKCR\txtfile\shell\open\command contains: winrpc.exe %1
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);
Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.
The BitDefender Antilovgate tool does the following:
it deletes the files created by the virus;
it disinfects the files infected by the virus;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
Mihai Chiriac BitDefender Virus Researcher
The worm comes as an attachement to email messages, which look like this :
one from the list:
Documents, Roms, Pr0n!, Evaluation copy, Help, Beta, Do not release, Last update, The Patch, Cracks
one from the list:
Docs.exe, Roms.exe, Sex.exe, Setup.exe, Source.exe, Pack.exe, Patch.exe
"Send me your comments..." or "Test this ROM! IT ROCKS!",
"Adult content!!! Use with parental advisory.",
"Test it 30 days for free",
"I\'m going crazy... please try to find the bug!",
"Send reply if you want to be official beta tester.",
"This is the pack ;)",
"This is the last cumulative update.",
"I think all will work fine.",
"Check our list and mail your requests!"
When first executed, the worm drops from its body the DLL files iky.dll, task.dll, 1.dll to the Windows System folder, then copies itself as winrpc.exe, syshelp.exe, WinRpcSrv.exe, WinGate.exe, rpcsrv.exe and spawns.
The DLL file uses NtQuerySystemInformation, an undocumented function exported by ntdll.dll to get a list of running processes. From this list it gets the process ID of "lsass.exe", allocates a block of memory from lsass' address space, writes to there a small routine and executes it remotely, using CreateRemoteThread(). The routine
loads "iky.dll" in lsass' address space.
Then the worm enumerates local shares, and copies itself to there, with the filenames : pics.exe, images.exe, joke.exe, pspgame.exe, news_doc.exe, hamster.exe, tamagotxi.exe, searchurl.exe, setup.exe, card.exe, illgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, fun.exe". Also, it tries to write itself to remote shares (in the system32 directory, as stg.exe). For doing this, the worm tries to connect to the remote computer as "Administrator", using the following passwords : , <123>, <321>, <123456>, <654321>, , , , <111111>, <666666>, <888888>, , , , <12345678>, .
The worm searches for *.ht* files on local drives and locates email addresses. By using it's own SMTP engine (it connects to smtp.163.com, using the user name firstname.lastname@example.org), the worm spreads.