Home / malware Email-Worm:W32/LovGate.AG
First posted on 01 June 2007.
Source: SecurityHomeAliases :
Email-Worm:W32/LovGate.AG is also known as LovGate.ag, Email-Worm.Win32.LovGate.ag.
Explanation :
LovGate.AG is a worm that spreads in e-mails, local and peer-to-peer networks. Additionally this worm drops a backdoor to an infected system.
When the worm is run, it creates copies of itself in the system using the following names:
- %windir%system32TkBellExe.exe
- %windir%system32hxdef.exe
- %windir%system32IEXPLORE.EXE
- %windir%system32kernel66.dll (with hidden, system and read-only attribute)
- %windir%system32RAVMOND.exe
- %windir%system32Update_OB.exe
- %windir%CdPlay.EXE
- %windir%Exploier.exe
In addition to this, it drops copies of itself to all available root drives using the filename, cdrom.com. Along with this, an AUTORUN.INF file is created to automatically execute the worm when the root drive is mounted.
This worm drops copies of its backdoor component using these filenames:
- %windir%system32MSSIGN30.DLL
- %windir%system32ODBC16.dll
- %windir%system32msjdbc11.dll
Creating Registry Keys
These registries are created by the malware to enable its automatic execution:
- [HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"run" = "RAVMOND.EXE" - [HKLMSoftwareMicrosoftWindowsCurrentVersion
unServices]
"SystemTra" = "%windir%CdPlay.EXE" - [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinHelp" = "%windir%system32TkBellExe.exe" - [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Hardware Profile" = "%windir%system32hxdef.exe" - [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Microsoft Associates, Inc." = "iexplorer.exe" - [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" - [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Program In Windows" = "%windir%system32IEXPLORE.EXE" - [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Shell Extension" = "%windir%system32spollsv.exe" - [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" - [HKLMSystemCurrentControlSetServicesWindows Management Protocol v.0 (experimental)]
"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server" - [HKLMSystemCurrentControlSetServices\_reg]
"ImagePath" = "Rundll32.exe msjdbc11.dll ondll_server"
Spreading via Network
It drops copies of itself as the following in network-shared directories:
- autoexec.bat
- Cain.pif
- client.exe
- Documents and Settings.txt.exe
- findpass.exe
- i386.exe
- Internet Explorer.bat
- Microsoft Office.exe
- mmc.exe
- MSDN.ZIP.pif
- Support Tools.exe
- Windows Media Player.zip.exe
- WindowsUpdate.pif
- winhlp32.exe
- WinRAR.exe
- xcopy.exe
The worm is able to spread itself to the local network. It enumerates network shares and attempts to connect to the admin$ share using the following passwords:
- 123
- 321
- 123456
- 654321
- guest
- administrator
- admin
- 111111
- 666666
- 888888
- abc
- abcdef
- abcdefg
- 12345678
- abc123
- root
- 1
- 111
- 1234
- !@#$
- asdf
- asdfgh
- !@#$%
- !@#$%^
- !@#$%^&
- !@#$%^&*
- sql
- server
- passwd
- password
- 12345
- 54321
- pass
- 0
- 000000
- 00000000
- 007
- 110
- 11111111
- 12
- 121212
- 123123
- 1234567
- 123456789
- 123abc
- 123asd
- 2002
- 2003
- 2600
- 88888888
- a
- aaa
- abcd
- Admin
- admin123
- alpha
- computer
- database
- enable
- god
- godblessyou
- home
- Internet
- Login
- login
- love
- mypass
- mypass123
- mypc
- mypc123
- oracle
- owner
- Password
- pc
- pw
- pw123
- pwd
- secret
- sex
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv
- Administrator
- Guest
Once successfully connected, it proceeds to copy itself to the Windows System directory of the remote computer as NetManager.exe. This file is loaded as a remote service named "Windows Management NetWork Service Extensions".
It shares the %windir%media directory of an infected computer to everyone as MEDIA.
Spreading via E-mail
The worm spreads as an attachment to e-mail messages. It uses two methods when spreading - composing its own messages and replying to messages that are received by a user of an infected computer.
Before spreading, the worm looks for victims' e-mail addresses. It opens Windows Address Book and searches e-mail addresses there. Additionally the worm scans files with the following extensions on local hard drives and ram disks:
- .adb
- .asp
- .dbx
- .htm
- .php
- .sht
- .tbb
- .wab
The worm ignores e-mail addresses if they contain any of the following:
- .gov
- .mil
- abuse
- accoun
- acketst
- anyone
- arin.
- avp
- be_loyal:
- berkeley
- borlan
- bsd
- bugs
- certific
- contact
- example
- fcnz
- feste
- fido
- foo.
- fsf.
- gnu
- gold-certs
- gov.
- help
- hotmail
- iana
- ibm.com
- icrosof
- icrosoft
- ietf
- info
- inpris
- isc.o
- isi.e
- kernel
- linux
- listserv
- math
- mit.e
- mozilla
- msn.
- mydomai
- nobody
- nodomai
- noone
- not
- nothing
- ntivi
- page
- panda
- pgp
- postmaster
- privacy
- rating
- rfc-ed
- ripe.
- ruslis
- samples
- secur
- sendmail
- service
- site
- soft
- somebody
- someone
- sopho
- spm
- submit
- support
- syma
- tanford.e
- the.bat
- unix
- usenet
- utgers.ed
- webmaster
- www
- you
- your
The worm sends messages with variable subject and body text and variable attachment name.
The subject of an infected message can be one of the following:
- Error
- Hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
The message body can be empty or can contain one of the following:
- It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
- Mail failed. For further assistance, please contact!
- The message contains Unicode characters and has been sent as a binary attachment.
The attachment name is selected from one of the following variants:
- body
- data
- doc
- document
- file
- message
- readme
- test
- text
The attachment extension can be one of the following:
- .bat
- .cmd
- .exe
- .pif
- .scr
The worm can fake the sender's e-mail address. The fake user name is selected from the following variants:
- adam
- alex
- alice
- andrew
- anna
- bill
- bob
- brenda
- brent
- brian
- claudia
- dan
- dave
- david
- debby
- fred
- george
- helen
- jack
- james
- jane
- jerry
- jim
- jimmy
- joe
- john
- jose
- julie
- kevin
- leo
- linda
- maria
- mary
- matt
- michael
- mike
- peter
- ray
- robert
- sam
- sandra
- serg
- smith
- stan
- steve
- ted
- tom
The domain name is selected from these variants:
- aol.com
- hotmal.com
- msn.com
- yahoo.com
The alternative way of spreading of the worm makes use of MAPI. The worm logs in, reads e-mail messages through MAPI interface and replies to them with the following:
- Britney spears nude.exe.txt.exe
- Deutsch BloodPatch!.exe
- dreamweaver MX (crack).exe
- DSL Modem Uncapper.rar.exe
- How to Crack all gamez.exe
- I am For u.doc.exe
- Industry Giant II.exe
- joke.pif
- Macromedia Flash.scr
- Me_nude.AVI.pif
- s3msong.MP3.pif
- SETUP.EXE
- Sex in Office.rm.scr
- Shakira.zip.exe
- StarWars2 - CloneAttack.rm.scr
- the hardcore game-.pif
The worm doesn't use any tricks to make its attachment run automatically on recipients' computers. Only when a recipient runs an infected attachment does his computer becomes infected with the worm.
Spreading via Kazaa File Sharing Network
The worm spreads to the Kazaa file sharing network. It locates a shared folder of Kazaa and copies itself there with one of the following names:
- BlackIcePCPSetup_creak
- HEROSOFT
- orcard_original_creak
- Passware5.3
- rainbowcrack-1.1-win
- REALONE
- setup
- W32Dasm
- word_pass_creak
- wrar320sc
The extension for the copied file is selected from the following variants:
- .bat
- .exe
- .pif
- .scr
Payload
This worm terminates several security-related processes and services such as:
- MCAFEE
- RAVMON.EXE
- RFW.EXE
- RISING
- Rising Realtime Monitor Service
- SKYNET
- SYMANTEC
- Symantec AntiVirus Client
- Symantec AntiVirus Server
Last update 01 June 2007