(Email-Worm.Win32.LovGate.y (Kaspersky), W32/Lovgate-V (Sophos), W32/Lovgate.aa@MM (McAfee), Win32/Lovgate.AD (NOD32))
Presence of the following files in the Windows/System32 folder:
- kernel66.dll (hidden)
and the file SYSTRA.EXE in the Windows folder.
Please let BitDefender delete files found detected as this worm.
Mihai Neagu, virus researcher
The worm arrives by e-mail, network shares or P2P networks (such as Kazaa).
The e-mail Subject is one of the following:
- Server Report
- Mail Transaction Failed
- Mail Delivery System
The e-mail Text can be a reply to an existing message, or can be the following:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
The e-mail Attachment is the worm with one of the following file names:
- Britney spears nude.exe.txt.exe
- DSL Modem Uncapper.rar.exe
- Deutsch BloodPatch!.exe
- How to Crack all gamez.exe
- I am For u.doc.exe
- Industry Giant II.exe
- Macromedia Flash.scr
- Sex in Office.rm.scr
- StarWars2 - CloneAttack.rm.scr
- dreamweaver MX (crack).exe
- the hardcore game-.pif
On P2P networks (in the download folder) or network shares (using the Windows/Media shared folder) with one of the following file names:
- AMD 2600 test.zip.exe
- Backup Made Simple 5.1.58 crack.exe
- CD-Cover Editor 2.6.exe
- Norton Antivirus crack.exe
- PC-Cillin readme.txt.exe
- Zealot All Video Splitter 1.1.9.zip.exe
The worm installs itself by performing the following actions:
- It copies worm main executable (97 KB) and a worm component (53 KB) to the Windows/System32 folder, with the following file names:
- kernel66.dll (hidden)
- It copies in the Windows folder with the name: SYSTRA.EXE, and in the root of all drives with the name COMMAND.EXE and creates AUTORUN.INF that makes it run if the Autorun feature is enabled.
- It creates a Service named Windows Management Protocol v.0 (experimental) that runs the worm component: runndll32.exe msjdbc11.dll ondll_server
- It creates two or more entries in the windows registry, to run at each windows startup:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/Program In Windows
with the value:
Windows/System32/IEXPLORE.EXE or one of the other copies.
- It also may create an entry in
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/Protected Storage or VFW Encoder/Decoder Settings
using rundll32.exe to load a copy of its component, for instance:
RUNDLL32.EXE MSSIGN30.DLL ondll_reg
- It starts a backdoor component that listens for commands on port 6000.
The worm attempts to terminate some antivirus/firewall applications.