Worm:Win32/Lovgate.E@mm is a worm that copies itself to network shares, and sends a copy of itself as a reply to unread messages in the Microsoft Outlook e-mail Inbox. The worm copies shared subfolders, making itself available for download by common peer-to-peer file sharing applications. In addition, Worm:Win32/Lovgate.E@mm opens a TCP port, and awaits backdoor connections from an attacker.
Installation
When this worm is run, it copies itself to the Windows system folder as:
windriver.exe
winhelp.exe
winrpc.exe
wingate.exe
ravmond.exe
iexplore.exe
kernel66.dll
The worm writes additional files as a remote access component, to the Windows system folder using the names 'ily668.dll', 'task688.dll' and 'reg678.dll'.
The registry is modified to load a copy of the worm and the remote access component, at Windows startup.:
Adds values with data:
"WinHelp" = "<system folder>\winhelp.exe"
"WinGate initialize" = "<system folder>\WinGate.exe -remoteshell"
"Remote Procedure Call Locator" = "rundll32 reg678.dll"
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds value with data:
"(default)" = "winrpc.exe %1"
Within subkey: HKEY_LOCAL_MACHINE\Registry\Machine\Software\Classes\txtfile\shell\open\command
Adds value with data:
"run" = "ravmond.exe"
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Spreads via…
Network Shares
Win32/Lovgate attempts to connect to networked computers, using the account 'Administrator' and a list of passwords it carries in its code. If the worm is successful in logging on to the remote computer, it will copy itself to the share 'admin$\system32' as a file named netservices.exe. Then it creates a service named 'Microsoft NetWork FireWall Services' that runs the worm copy 'netservices.exe'.
E-Mail 'Auto reply'
The worm sends itself in two ways by e-mail. In the first method, the worm replies to unread messages found in the Outlook inbox with an e-mail message and file attachment copy of the worm. Messages constructed by the worm have the following format:
'%SENDER%' wrote:
====
> %ORIGINAL MAIL BODY%
====
%ACCOUNT% account auto-reply:
<
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE %ACCOUNT% account now! <
In the second method, the worm sends new messages with a copy of the worm attached. These messages are in the following format:
Possible Subject text:
Possible Body text:
-
For further assistance, please contact!
-
Copy of your message, including all the headers is attached.
-
This is the last cumulative update.
-
Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
-
Send reply if you want to be official beta tester.
-
This message was created automatically by mail delivery software (Exim).
-
It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
-
Adult content!!! Use with parental advisory.
-
Patrick Ewing will give Knick fans something to cheer about Friday night.
Possible attachment names:
-
I am For u.doc.exe
-
Britney spears nude.exe.txt.exe
-
joke.pif
-
DSL Modem Uncapper.rar.exe
-
Industry Giant II.exe
-
StarWars2 - CloneAttack.rm.scr
-
dreamweaver MX (crack).exe
-
Shakira.zip.exe
-
SETUP.EXE
-
Macromedia Flash.scr
-
How to Crack all gamez.exe
-
Me_nude.AVI.pif
-
s3msong.MP3.pif
-
Deutsch BloodPatch!.exe
-
Sex in Office.rm.scr
-
the hardcore game-.pif
Peer-to-Peer File Sharing
The worm copies itself to subfolders containing the string "shar" in its name, increasing the chance the worm will spread through peer-to-peer application file sharing, by being downloaded by an unsuspecting computer user seeking files by specific names. Filenames used by the worm include the following:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
Payload
Backdoor Functionality
This worm opens a random, high-numbered TCP port, and awaits connections from a remote attacker. Port numbers used by the worm were observed to be 6000 and higher, although other ports could be used.
