BitDefender Antivirus
My BitDefender
Go

Win32.Lovgate.O@mm

( I-Worm.Lovgate.n (KAV), Win32.HLLM.Lovgate (DrWeb) )
Spreading: medium
Damage: low
Size: 446.464 bytes
Discovered: 2003 Sep 23

SYMPTOMS:

Files WINRPCSRV.EXE, SYSHELP.EXE, WINRPC.EXE, WINGATE.EXE and RPCSRV.EXE in the System folder
Ports 10168 and 20168 open.

TECHNICAL DESCRIPTION:

The worm comes by mail in the following form:

Subject: One of the following:
  • \"Documents\"
  • \"Roms\"
  • \"Pr0n!\"
  • \"Evaluation copy\"
  • \"Help\"
  • \"Beta\"
  • \"Do not release\"
  • \"Last Update\"
  • \"The patch\"
  • \"Cracks!\"

Attachment: One of the following:
  • PICS.EXE
  • IMAGES.EXE
  • JOKE.EXE
  • PSPGAME.EXE
  • NEWS_DOC.EXE
  • HAMSTER.EXE
  • TAMAGOTXI.EXE
  • SEARCHURL.EXE
  • SETUP.EXE
  • CARD.EXE
  • BILLGT.EXE
  • MIDSONG.EXE
  • S3MSONG.EXE
  • DOCS.EXE
  • HUMOR.EXE
  • FUN.EXE

Body text: One of the following:
  • \"Send me your comments...\"
  • \"Test this ROM! IT ROCKS!.\"
  • \"Adult content!!! Use with parental advisory.\"
  • \"Test it 30 days for free.\"
  • \"I\'m going crazy... please try to find the bug!\"
  • \"Send reply if you want to be official beta tester.\"
  • \"This is the pack ;)\"
  • \"This is the last cumulative update.\"
  • \"I think all will work fine.\"
  • \"Check our list and mail your requests!\"


The worm scans for *.ht* files (*.html, *.htm, *.htt, etc.) in the current directory, the Windows directory and in the special directories: Desktop, Start Menu, My Documents, etc. and grabs from there the e-mail addresses to send itself to, using its own e-mailing engine.

To be run every time Windows starts, it copies itself to the System directory with the following names:
  • WINRPCSRV.EXE
  • SYSHELP.EXE
  • WINRPC.EXE
  • WINGATE.EXE
  • RPCSRV.EXE

and creates the registry keys:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\syshelp
and
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Wingate Initialize
with the path to one of the worm\'s copies.

On Windows 95/98/Me systems it writes in WIN.INI the value RUN with the path to it\'s executable. On Windows NT/2000/XP/2003, the worm creates a service called Window Remote Service with the path to its executable too.

The worm also associates the TXT extension to its own executable, by overwriting the registry value:
HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command

It has also backdoor behaviour by listening commands on the ports 10168 and 20168.

Removal instructions:

Use the BitDefender removal tool available below, it does the following:

- Deletes/Cleans the infected files with Win32.Lovgate
- Cleans the registry and file associations
- Deletes the services created by the worm

ANALYZED BY:

Mihai NEAGU
BitDefender Virus Researcher
Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy