Home / malware Win32.LovGate.F@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.LovGate.F@mm is also known as I-Worm.Supnot.F.
Explanation :
This variant is very similar in behaviour with Win32.LovGate.C.
This is obviously a more evolved variant, bringing new features and also
enhancing previous features. The differences from the previous version
are described here.
The main feature added by this version is a component that logs mouse moves and keyboard strokes, which is also detected by BitDefender as "Win32.LovGate.F". When the worm detects the user entered a password, it sends an email using a second smtp engine, looking like this:
From : ""
Subject : "333www"
Content : a combination of user/password or the string "not find pass!".
The worm comes as an attachement to email messages, which looks like this :
Subject: one from the list : Reply to this!, Let\\\'s Laugh, Last Update, For You, Great, Help, Attached one gift for u..., Hi Dear, Hi, See the attachement.
Attachment: one from the list : About_me.txt.pif, driver.exe, Doom3 Preview!!!.exe, enjoy.exe, YOU_are_FAT!.TXT.pif, Source.exe, nteresting.exe, readme.txt.pif, images.pif, Pics.ZIP.scr
Body: "For further assistance, please contact!",
"Copy of your message, including all the headers is attached.",
"This is the last cumulative update.",
"Tiger Woods had two eagles Friday during his victory
over Stephen Leaney. (AP Photo/Denis Poroy)",
"Send reply if you want to be official beta tester.",
"This message was created automatically by mail delivery
software (Exim).",
"It\\\'s the long-awaited film version of the Broadway hit. Set
in the roaring 20\\\'s, this is the story of Chicago chorus girl
Roxie Hart (Zellweger), who shoots her unfaithful lover (West).",
"Adult content!!! Use with parental advisory.",
"Patrick Ewing will give Knick fans something to cheer about Friday night.",
"Send me your comments..."
Then the worm enumerates local shares, and copies itself to there, with the filenames : 100 free essays school.pif, Age of empires 2 crack.exe, AN-YOU-SUCK-IT.txt.pif, Are you looking for Love.doc.exe, autoexec.bat,
CloneCD + crack.exe, How To Hack Websites.exe, Mafia Trainer!!!.exe, MoviezChannelsInstaler.exe, MSN Password Hacker and Stealer.exe, Panda Titanium Crack.zip.exe, Sex_For_You_Life.JPG.pif, SIMS FullDownloader.zip.exe, Star Wars II Movie Full Downloader.exe, The world of lovers.txt.exe, Winrar + crack.exe.
The password list has also changed in this version, for accessing remote shares the worm tries to bruteforce the password using one of the following words:
0
1
7
12
110
111
123
321
1234
2002
2003
2600
12345
54321
111111
121212
123123
123456
654321
666666
888888
1234567
11111111
12345678
88888888
123456789
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
123abc
123asd
a
aaa
abc
abc123
abcd
abcdef
abcdefg
Admin
admin
admin123
administrator
alpha
asdf
asdfgh
computer
database
enable
god
godblessyou
guest
home
Internet
login
Login
love
mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
Password
password
pc
pw
pw123
pwd
root
secret
server
sex
sql
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcvLast update 21 November 2011
