Home / malwarePDF  

Win32.Lovgate.W@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Lovgate.W@mm is also known as Email-Worm.Win32.LovGate.y, (Kaspersky.

Explanation :

The worm arrives by e-mail, network shares or P2P networks (such as Kazaa).

The e-mail Subject is one of the following:

ErrorStatusServer ReportMail Transaction FailedMail Delivery Systemhellohi

The e-mail Text can be a reply to an existing message, or can be the following:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

The e-mail Attachment is the worm with one of the following file names:

Britney spears nude.exe.txt.exeDSL Modem Uncapper.rar.exeDeutsch BloodPatch!.exeHow to Crack all gamez.exeI am For u.doc.exeIndustry Giant II.exeMacromedia Flash.scrMe_nude.AVI.pifSETUP.EXESex in Office.rm.scrShakira.zip.exeStarWars2 - CloneAttack.rm.scrdreamweaver MX (crack).exejoke.pifs3msong.MP3.pifthe hardcore game-.pif

On P2P networks (in the download folder) or network shares (using the Windows/Media shared folder) with one of the following file names:

256MFX5600.txt.pifAMD 2600 test.zip.exeBackup Made Simple 5.1.58 crack.exeCD-Cover Editor 2.6.exeGBA-Shell.exeNTDETECT.COMNorton Antivirus crack.exePC-Cillin readme.txt.exePrescott.scrReadMe.exeSetUp.exeZealot All Video Splitter 1.1.9.zip.exeZealot.execommand.cominstall.exepicture.JPG.pif


The worm installs itself by performing the following actions:

It copies worm main executable (97 KB) and a worm component (53 KB) to the Windows/System32 folder, with the following file names:
RAVMOND.exekernel66.dll (hidden)IEXPLORE.EXEMSSIGN30.DLLmsjdbc1.dllODBC16.dllLmmib20.dll
It copies in the Windows folder with the name: SYSTRA.EXE, and in the root of all drives with the name COMMAND.EXE and creates AUTORUN.INF that makes it run if the Autorun feature is enabled.

It creates a Service named Windows Management Protocol v.0 (experimental) that runs the worm component: runndll32.exe msjdbc11.dll ondll_server

It creates two or more entries in the windows registry, to run at each windows startup:
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/Program In Windows
with the value:
Windows/System32/IEXPLORE.EXE or one of the other copies.

It also may create an entry in
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/Protected Storage or VFW Encoder/Decoder Settings
using rundll32.exe to load a copy of its component, for instance:
RUNDLL32.EXE MSSIGN30.DLL ondll_reg

It starts a backdoor component that listens for commands on port 6000.

The worm attempts to terminate some antivirus/firewall applications.

Last update 21 November 2011

 

TOP