Home / malwarePDF  

Win32.LovGate.C@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.LovGate.C@mm is also known as I-Worm.Supnot.C.

Explanation :

The worm comes as an attachement to email messages, which look like this :
Subject:
one from the list:
Documents, Roms, Pr0n!, Evaluation copy, Help, Beta, Do not release, Last update, The Patch, Cracks
Attachment:
one from the list:
Docs.exe, Roms.exe, Sex.exe, Setup.exe, Source.exe, Pack.exe, Patch.exe
Body:
"Send me your comments..." or "Test this ROM! IT ROCKS!",
"Adult content!!! Use with parental advisory.",
"Test it 30 days for free",
"I'm going crazy... please try to find the bug!",
"Send reply if you want to be official beta tester.",
"This is the pack ;)",
"This is the last cumulative update.",
"I think all will work fine.",
"Check our list and mail your requests!"
When first executed, the worm drops from its body the DLL files iky.dll, task.dll, 1.dll to the Windows System folder, then copies itself as winrpc.exe, syshelp.exe, WinRpcSrv.exe, WinGate.exe, rpcsrv.exe and spawns.
The DLL file uses NtQuerySystemInformation, an undocumented function exported by ntdll.dll to get a list of running processes. From this list it gets the process ID of "lsass.exe", allocates a block of memory from lsass' address space, writes to there a small routine and executes it remotely, using CreateRemoteThread(). The routine
loads "iky.dll" in lsass' address space.
Then the worm enumerates local shares, and copies itself to there, with the filenames : pics.exe, images.exe, joke.exe, pspgame.exe, news_doc.exe, hamster.exe, tamagotxi.exe, searchurl.exe, setup.exe, card.exe, illgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, fun.exe". Also, it tries to write itself to remote shares (in the system32 directory, as stg.exe). For doing this, the worm tries to connect to the remote computer as "Administrator", using the following passwords : , <123>, <321>, <123456>, <654321>, , , , <111111>, <666666>, <888888>, , , , <12345678>, .
The worm searches for *.ht* files on local drives and locates email addresses. By using it's own SMTP engine (it connects to smtp.163.com, using the user name hacker117@163.com), the worm spreads.

Last update 21 November 2011

 

TOP