My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.LovGate.C@mm

HIGH
LOW
78848 bytes
(I-Worm.Supnot.C)

Symptoms

- Files winrpc.exe, syshelp.exe, WinRpcSrv.exe, WinGate.exe, rpcsrv.exe, iky.dll, task.dll, 1.dll in the Windows System folder.
- Under Windows 9x systems, the worm adds the line "run=rpcsrv.exe" to the win.ini file
- The registry key HKLM\...\CurrentVersion\Run contains the values:
syshelp %system%\syshelp.exe
WinGate initialize %system%\WinGate.exe -remoteshell
Module Call initialize RUNDLL32.EXE reg.dll ondll_reg
- The registry key HKCR\txtfile\shell\open\command contains: winrpc.exe %1

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the
tool (including the antivirus shields) and to restart the computer afterwards.
Additionally you'll have to manually delete the infected files located in archives
and the infected messages from your mail client.


The BitDefender Antilovgate tool does the following:
  • it detects all the known LovGate versions (A, B, C, D, E, G, H, J, K);

  • it deletes the files created by the virus;

  • it disinfects the files infected by the virus;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Mihai Chiriac BitDefender Virus Researcher

    Technical Description:

    The worm comes as an attachement to email messages, which look like this :
    Subject:
    one from the list:
    Documents, Roms, Pr0n!, Evaluation copy, Help, Beta, Do not release, Last update, The Patch, Cracks
    Attachment:
    one from the list:
    Docs.exe, Roms.exe, Sex.exe, Setup.exe, Source.exe, Pack.exe, Patch.exe
    Body:
    "Send me your comments..." or "Test this ROM! IT ROCKS!",
    "Adult content!!! Use with parental advisory.",
    "Test it 30 days for free",
    "I\'m going crazy... please try to find the bug!",
    "Send reply if you want to be official beta tester.",
    "This is the pack ;)",
    "This is the last cumulative update.",
    "I think all will work fine.",
    "Check our list and mail your requests!"
    When first executed, the worm drops from its body the DLL files iky.dll, task.dll, 1.dll to the Windows System folder, then copies itself as winrpc.exe, syshelp.exe, WinRpcSrv.exe, WinGate.exe, rpcsrv.exe and spawns.
    The DLL file uses NtQuerySystemInformation, an undocumented function exported by ntdll.dll to get a list of running processes. From this list it gets the process ID of "lsass.exe", allocates a block of memory from lsass' address space, writes to there a small routine and executes it remotely, using CreateRemoteThread(). The routine
    loads "iky.dll" in lsass' address space.
    Then the worm enumerates local shares, and copies itself to there, with the filenames : pics.exe, images.exe, joke.exe, pspgame.exe, news_doc.exe, hamster.exe, tamagotxi.exe, searchurl.exe, setup.exe, card.exe, illgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, fun.exe". Also, it tries to write itself to remote shares (in the system32 directory, as stg.exe). For doing this, the worm tries to connect to the remote computer as "Administrator", using the following passwords : , <123>, <321>, <123456>, <654321>, , , , <111111>, <666666>, <888888>, , , , <12345678>, .
    The worm searches for *.ht* files on local drives and locates email addresses. By using it's own SMTP engine (it connects to smtp.163.com, using the user name hacker117@163.com), the worm spreads.