Worm:Win32/Lovgate.AE@mm is a mass-mailing worm that sends itself as an e-mail attachment to addresses found on the infected computer. To spread via networks and file shares, Worm:Win32/Lovgate.AE@mm copies itself to writeable network shares and shares protected by weak user name and password pairs. The worm opens a backdoor on infected systems and may send system passwords and other sensitive information to the worm's author.
Worm:Win32/Lovgate.AE@mm spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes and also searches drives for .htm and .html files, sending a copy of itself to any mailto addresses found in those files.
When Worm:Win32/Lovgate.AE@mm runs, it takes the following actions:
Copies itself to the Windows system folder as WinHelp.exe. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
Creates value: winhelp
with data: <system folder>\winhelp.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copies itself to writeable network shares using the following file names:
WinRAR.exe
Internet Explorer.bat
Documents and Settings.txt.exe
Microsoft Office.exe
Windows Media Player.zip.exe
Support Tools.exe
WindowsUpdate.pif
Cain.pif
MSDN.ZIP.pif
autoexec.bat
findpass.exe
client.exe
i386.exe
winhlp32.exe
xcopy.exe
mmc.exe
Worm:Win32/Lovgate.AE@mm also drops a backdoor dll component. The file name of this dll may vary. Following are examples of the file names used by the worm:
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
The email composed by Worm:Win32/Lovgate.AE@mm has the following characteristics:
Subject: YAHOO.COM Mail
Message body:
> Get your FREE %s now! <
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
%s auto-reply:
Attachment names:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The attachment file names have the following extensions:
pif
scr
exe
Worm:Win32/Lovgate.AE@mm uses a double extension ruse, which may cause the extension to display as one of the following:
rm
mp3
avi
rar
zip
doc