SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Lovgate.O@mm

MEDIUM
LOW
446.464 bytes
(I-Worm.Lovgate.n (KAV), Win32.HLLM.Lovgate (DrWeb))

Symptoms

Files WINRPCSRV.EXE, SYSHELP.EXE, WINRPC.EXE, WINGATE.EXE and RPCSRV.EXE in the System folder
Ports 10168 and 20168 open.

Removal instructions:

Use the BitDefender removal tool available below, it does the following:

- Deletes/Cleans the infected files with Win32.Lovgate
- Cleans the registry and file associations
- Deletes the services created by the worm

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

The worm comes by mail in the following form:

Subject: One of the following:
  • "Documents"
  • "Roms"
  • "Pr0n!"
  • "Evaluation copy"
  • "Help"
  • "Beta"
  • "Do not release"
  • "Last Update"
  • "The patch"
  • "Cracks!"

Attachment: One of the following:
  • PICS.EXE
  • IMAGES.EXE
  • JOKE.EXE
  • PSPGAME.EXE
  • NEWS_DOC.EXE
  • HAMSTER.EXE
  • TAMAGOTXI.EXE
  • SEARCHURL.EXE
  • SETUP.EXE
  • CARD.EXE
  • BILLGT.EXE
  • MIDSONG.EXE
  • S3MSONG.EXE
  • DOCS.EXE
  • HUMOR.EXE
  • FUN.EXE

Body text: One of the following:
  • "Send me your comments..."
  • "Test this ROM! IT ROCKS!."
  • "Adult content!!! Use with parental advisory."
  • "Test it 30 days for free."
  • "I'm going crazy... please try to find the bug!"
  • "Send reply if you want to be official beta tester."
  • "This is the pack ;)"
  • "This is the last cumulative update."
  • "I think all will work fine."
  • "Check our list and mail your requests!"


The worm scans for *.ht* files (*.html, *.htm, *.htt, etc.) in the current directory, the Windows directory and in the special directories: Desktop, Start Menu, My Documents, etc. and grabs from there the e-mail addresses to send itself to, using its own e-mailing engine.

To be run every time Windows starts, it copies itself to the System directory with the following names:
  • WINRPCSRV.EXE
  • SYSHELP.EXE
  • WINRPC.EXE
  • WINGATE.EXE
  • RPCSRV.EXE

and creates the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Wingate Initialize
with the path to one of the worm's copies.

On Windows 95/98/Me systems it writes in WIN.INI the value RUN with the path to it's executable. On Windows NT/2000/XP/2003, the worm creates a service called Window Remote Service with the path to its executable too.

The worm also associates the TXT extension to its own executable, by overwriting the registry value:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

It has also backdoor behaviour by listening commands on the ports 10168 and 20168.
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources