Home / malware Win32.LovGate.G/H/J/K@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.LovGate.G/H/J/K@mm is also known as I-Worm.Supnot.
Explanation :
These are new variants of the Win32.LovGate worm. These versions share functionality and code with the previous versions, but have many new features:
1) Termination of anti-viral processes. The worm enumerates all running programs and checks their names against the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
If a process' name matches, it will be terminated.
2) It makes copies of itself with random name and double extension to a temporary directory and shares it under the name GAME. All the files have the .exe extension but some systems may not display it. Instead, a fake extension is displayed : .txt, .jpg, .mp3, .htm, .avi, .doc, .gif, .dat.
3) It tries to hook file execution, by overwriting the registry key
HKEY_CLASSES_ROOTexefileshellopencommand. When a file is executed, the worm
gets control and proceeds infecting it.
4) This version of the worm is a fast-infector, as it drops the file Drwtsn16.exe to the
windows directory and spawns it. The spawned process infects the executable files using the FindFirst/FindNext technique.
5) The infection technique is classic, at least for high level language programs : a special temporary file is created, and then a loader, the original file and the worm itself are written to the temporary file. When (and if) the infection process went ok, the worm deletes the original file and replaces it with the infected one.
6) The worm tries to find files matching the .ht[wildcard] and searches for email addresses. Then the worm forges the email message to look like a reply. Then it attaches a copy of itself under one of the names:
I am For u.doc.exe,
Britney spears nude.exe.txt.exe,
joke.pif,
DSL Modem Uncapper.rar.exe,
Industry Giant II.exe,
StarWars2 - CloneAttack.rm.scr,
dreamweaver MX (crack).exe,
Shakira.zip.exe,
SETUP.EXE,
Macromedia Flash.scr,
How to Crack all gamez.exe,
Me_nude.AVI.pif,
s3msong.MP3.pif,
Deutsch BloodPatch!.exe,
Sex in Office.rm.scr,
the hardcore game-.pif
7) It finds email addresses in user's Inbox folder, and the infected mails sent to those addresses contains the following small poem:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about, don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... more look to the attachment.Last update 21 November 2011
