Home / malware Worm:W32/Lovgate.B
First posted on 16 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Lovgate.B.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsLovgate.B is mass mailing and network worm which also has a backdoor component.
Apart form the mass mailing functionality this worm can spread through windows shares and steal users' passwords. It also has backdoor capabilities listening in the port 10168, allowing the attacker to perform different actions on the infected machine.
In all variants A, B and C, a dropped DLL sets another copy of thebackdoor on port 1192.
The worm's executable is packed with ASPack
History
UPDATE (2003-09-23)
F-Secure received reports about a new Lovgate variant known as Lovgate.N from Germany. F-Secure Anti-Virus detects this worm variant with the following updates: Version=2003-09-23_02
UPDATE (2003-05-13)
Three new Lovgate variants known as Lovgate.I, Lovgate.J and Lovgate.K have been found on May 13th, 2003. These are similar to old Lovgate variants, but in addition, they infect executable files. For more information see the bottom of the description.
UPDATE (2003-03-27 12:50 GMT)
F-Secure is upgrading Lovgate.F to level 2 because of the increased number of infections. Lovgate.F is an e-mail and network worm with backdoor capabilities. It attempts to gain remote access using a longer list of passwords than previous variants.
UPDATE (2003-03-25 13:30 GMT)
A new variant of Lovgate worm, Lovgate.G has been found on 25th of March 2003. For more information see the bottom of the description.
UPDATE (2003-03-24 13:30 GMT)
A new variant of Lovgate worm, Lovgate.F has been found on 24th of March 2003. For more information see the bottom of the description.
UPDATE (2003-02-24 10:30 GMT)
A new variant of Lovgate worm, Lovgate.C has been found on 24th of February 2003. For more information see the bottom of the description.
Activity
Lovgate sends the private information to the following addresses:
€ hello_dll@163.com € hacker117@163.com
The worm has its own SMTP engine and connects to the host smtp.163.com to deliver its messages. The domain 163.com seems to be a Chinese web portal.
Lovgate copies itself to shares and shares' sub-folders with names such as:
€ fun.exe € humor.exe € docs.exe € s3msong.exe € midsong.exe € billgt.exe € Card.EXE € SETUP.EXE € searchURL.exe € tamagotxi.exe € hamster.exe € news_doc.exe € PsPGame.exe € joke.exe € images.exe € pics.exe
It tries the following usernames and passwords if the shares are password protected:
Usernames:
€ guest € Administrator
Passwords:
€ "" (empty password) € "guest" € "123" € "321" € "123456" € "654321" € "administrator" € "admin" € "111111" € "666666" € "888888" € "abc" € "abcdef" € "abcdefg" € "12345678" € "abc123"
If it gains access, it will copy itself to file named "stg.exe" in the "System32" Windows folder and it will attempt to run it.
It has key-logging capabilities and stores information it gathers in the following files:
€ win32pwd.sys € win32add.sys
Lovgate.B copies itself in the Windows' system folder with the following filenames:
€ WinGate.exe € WinRpcsrv.exe € syshelp.exe € winrpc.exe € rpcsrv.exe
It creates different entries in different configuration files and windows register to run those copies:
For the registry key
€ [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
it creates the following subkeys:
€ "WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell"
"syshelp" = "%winsysdir%\syshelp.exe"
"Module Call initialize" = "rundll32.exe reg.dll ondll_reg"
Where '%winsysdir%' stands for Windows' system directory.
It also sets the registry key
€ [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@ = %winsysdir%\winprc.exe "%1"
so the worm will execute each time the user double click on a text file. When run it also launches Notepad, so nothing can be noticed unless the default editor for text files was other than Notepad.
It sets the following entry under the 'Windows' section in the win.ini file:
€ [Windows] € Run=rpcsrv.exe
Lovgate.B drops the same DLL under the following names:
€ %winsysdir%\ily.dll € %winsysdir%\task.dll € %winsysdir%\reg.dll € %winsysdir%\1.dll
This variant also drops the keylogger DLL as:
€ %winsysdir%\win32vxd.dll
Among other things, those DLL's will be in charge of the keylogging process and sending data back to the worm's creator.
The worm sends e-mail in two different ways. When it runs it launches a thread that will send replies to messages found from inbox using the MAPI Windows functions. The reply message will have the following body:
€ I'll try to reply as soon as possible. € Take a look to the attachment and send me your opinion!
And, it searches for *.ht* files and sends messages to the addresses found inside. The message will be composed from the data in the following list:
Possible filenames of the email attachment are:
€ Docs.exe € Roms.exe € Sex.exe € Setup.exe € Source.exe € _SetupB.exe € Pack.exe € LUPdate.exe € Patch.exe € CrkList.exe
Possible subjects are:
€ Documents € Roms € Pr0n! € Evaluation copy € Help € Beta € Do not release € Last Update € The patch € Cracks!
Possible bodies are:
€ Send me your comments... € Test this ROM! IT ROCKS!. € Adult content!!! Use with parental advisory. € Test it 30 days for free. € I'm going crazy... please try to find the bug!. € Send reply if you want to be official beta tester. € This is the pack ;) € This is the last cumulative update. € I think all will work fine. € Check our list and mail your requests!
Lovgate.B is detected by F-Secure Anti-Virus with database:
Version=2003-02-20_01
Variants
Lovgate.A
The main difference of A variant is the lack of the automatic reply to messages found from the inbox. Without that, its spreading depends on availability of writable network shares and *.ht* files where to find e-mail addresses. Apart from that, most of its functionality is analogous to that of the other known variants.
Lovgate.C
Lovgate.C appears to have fixed some previous problems with the e-mail spreading capabilities of the worm. It keeps the backdoor component running in the same port 10168. The B variant did drop 2 different DLLs, while this one only drops one (as A variant does). It has apparently removed the keylogging component present in B variant.
There are no major differences, it uses the same filenames when copying itself into the computer. Lovgate.C is detected by F-Secure Anti-Virus with database:
Version=2003-02-24_02
Lovgate.D
This variant is more primitive than the previous. When infecting network shares, it doesn't try to guess passwords. And as the A variant, it only sends e-mail to addresses it finds from *.ht* files on the infected computer. Lovgate.D is detected by F-Secure Anti-Virus with database:
Version=2003-02-24_04
Lovgate.F
This variant is an improved version. It contains a longer list of passwords to try when attempting to gain access to shared resources:
€ "" (empty password) € "123" € "321" € "123456" € "654321" € "guest" € "administrator" € "admin" € "111111" € "666666" € "888888" € "abc" € "abcdef" € "abcdefg" € "12345678" € "abc123" € "root" € "1" € "111" € "1234" € "!@#$" € "asdf" € "asdfgh" € "!@#$%" € "!@#$%^" € "!@#$%^&" € "!@#$%^&*" € "sql" € "server" € "passwd" € "password" € "12345" € "54321" € "pass" € "0 " € "000000" € "00000000" € "007" € "110" € "11111111" € "12" € "121212" € "123123" € "1234567" € "123456789" € "123abc" € "123asd" € "2002" € "2003" € "2600" € "88888888" € "a" € "aaa" € "abcd" € "Admin" € "admin123" € "alpha" € "computer" € "database" € "enable" € "god" € "godblessyou" € "home" € "Internet" € "Login" € "login" € "love" € "mypass" € "mypass123" € "mypc" € "mypc123" € "oracle" € "owner" € "Password" € "pc" € "pw" € "pw123" € "pwd" € "secret" € "sex" € "super" € "sybase" € "temp" € "temp123" € "test" € "test123" € "win" € "xp" € "xxx" € "yxcv" € "zxcv" € "Administrator" € "Guest"
It maintains the same basic functionality than previous versions, using the same SMTP server to send e-mail to its author, as well as using the default Windows mail configuration.
It drops several DLLs into the system using different names than the previous variants.
It uses the following filenames when sending e-mail through MAPI.
€ "I am For u.doc.exe" € "Britney spears nude.exe.txt.exe" € "joke.pif" € "DSL Modem Uncapper.rar.exe" € "Industry Giant II.exe" € "StarWars2 - CloneAttack.rm.scr" € "dreamweaver MX (crack).exe" € "Shakira.zip.exe" € "SETUP.EXE" € "Macromedia Flash.scr" € "How to Crack all gamez.exe" € "Me_nude.AVI.pif" € "s3msong.MP3.pif" € "Deutsch BloodPatch!.exe" € "Sex in Office.rm.scr" € "the hardcore game-.pif"
It uses the following filenames when copying itself to shared resources:
€ "MSN Password Hacker and Stealer.exe" € "SIMS FullDownloader.zip.exe" € "Winrar + crack.exe" € "Star Wars II Movie Full Downloader.exe" € "MoviezChannelsInstaler.exe" € "Age of empires 2 crack.exe" € "CloneCD + crack.exe" € "Sex_For_You_Life.JPG.pif" € "AN-YOU-SUCK-IT.txt.pif" € "100 free essays school.pif" € "Mafia Trainer!!!.exe" € "Panda Titanium Crack.zip.exe" € "How To Hack Websites.exe" € "The world of lovers.txt.exe" € "autoexec.bat" € "Are you looking for Love.doc.exe"
Lovgate.F is detected by F-Secure Anti-Virus with database:
Version=2003-03-24_03
Lovgate.G
This variant is functionally identical to Lovgate.F. Lovgate.G is detected by F-Secure Anti-Virus with database:
Version=2003-03-24_03
Lovgate.I, Lovgate.J, Lovgate.K & Lovgate.L
These new versions keep most of the functionality of the older ones, with several additions. In this versions, the infecting component s active, such component was present in the F variant but wasn't never activated.
The filenames used when spreading through shares, as well as password list, are identical as the ones included in the F variant.
It drops components under the following paths:
€ %winsysdir%\ily668.dll € %winsysdir%\Task688.dll € %winsysdir%\reg678.dll € %winsysdir%\win32vxd.dll
and the infecting part of the Logvate worm, which was not dropped by previous variants is dropped in:
€ %windowsdir%\DRWTSN16.EXE
Where '%winsysdir%' stands for Windows' system directory and '%windowsdir%'
stands for Windows' directory.
The worm creates the following entries in the registry key
€ [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
it creates the following subkeys:
"WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell"
"Remote Procedure Call Locator" = "rundll32.exe reg678.dll ondll_reg"
and under:
€ [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
adds an entry for the component in charge of infecting other files as:
€ "COM+ Event System" = "DRWTSN16.EXE"
It also sets the registry key
€ [HKEY_CLASSES_ROOT\exefile\shell\open\command]
@ = %winsysdir%\winexe.exe "%1" %*
so the worm will execute each time the user runs an executable file. This variants tries to terminate several Anti-Virus processes if found running in the system.
Detection of Lovgate.I, Lovgate.J and Lovgate.K was published in update:
Version=2003-05-13_03
Detection of Lovgate.L was published in update:
Version=2003-05-14_01
Lovgate.M
This variant retains the funtionality of the prevoius ones. The only changes lie in the mail composition, where messages are composed from the following elements:
Subjects are chosen from:
€ Reply to this! € Let's Laugh € Last Update € for you € Great € Help € Attached one Gift for u.. € Hi Dear € See the attachement
And message bodies from:
€ -For further assistance, please contact! € -Copy of your message, including all the headers is attached. € -This is the last cumulative update. € -Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP € Photo/Denis Poroy) -Send reply if you want to be official beta tester. € -This message was created automatically by mail delivery software (Exim). € -It's the long-awaited film version of the Broadway hit. Set in the roaring € 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who € shoots her unfaithful lover (West). € -Adult content!!! Use with parental advisory. € -Patrick Ewing will give Knick fans something to cheer about Friday night. € -Send me your comments...
Attachment names from:
€ About_Me.txt.pif € driver.exe € Doom3 Preview!!!.exe € enjoy.exe € YOU_are_FAT!.TXT.pif € Source.exe € Interesting.exe € README.TXT.pif € images.pif € Pics.ZIP.scr
The list of passwords, message components (subjects, bodies) and filenames used when spreading through shares are all as in Lovgate.M.
Detection of Lovgate.M was published in update:
Version=2003-06-18_03
Last update 16 June 2010
