Home / malware Win32.Lovgate.O@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Lovgate.O@mm is also known as I-Worm.Lovgate.n, (KAV.
Explanation :
The worm comes by mail in the following form:
Subject: One of the following:
"Documents" "Roms" "Pr0n!" "Evaluation copy" "Help" "Beta" "Do not release" "Last Update" "The patch" "Cracks!"
Attachment: One of the following:
PICS.EXE IMAGES.EXE JOKE.EXE PSPGAME.EXE NEWS_DOC.EXE HAMSTER.EXE TAMAGOTXI.EXE SEARCHURL.EXE SETUP.EXE CARD.EXE BILLGT.EXE MIDSONG.EXE S3MSONG.EXE DOCS.EXE HUMOR.EXE FUN.EXE
Body text: One of the following:
"Send me your comments..." "Test this ROM! IT ROCKS!." "Adult content!!! Use with parental advisory." "Test it 30 days for free." "I'm going crazy... please try to find the bug!" "Send reply if you want to be official beta tester." "This is the pack ;)" "This is the last cumulative update." "I think all will work fine." "Check our list and mail your requests!"
The worm scans for *.ht* files (*.html, *.htm, *.htt, etc.) in the current directory, the Windows directory and in the special directories: Desktop, Start Menu, My Documents, etc. and grabs from there the e-mail addresses to send itself to, using its own e-mailing engine.
To be run every time Windows starts, it copies itself to the System directory with the following names:
WINRPCSRV.EXE SYSHELP.EXE WINRPC.EXE WINGATE.EXE RPCSRV.EXE
and creates the registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunsyshelp
and
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunWingate Initialize
with the path to one of the worm's copies.
On Windows 95/98/Me systems it writes in WIN.INI the value RUN with the path to it's executable. On Windows NT/2000/XP/2003, the worm creates a service called Window Remote Service with the path to its executable too.
The worm also associates the TXT extension to its own executable, by overwriting the registry value:
HKEY_CLASSES_ROOT xtfileshellopencommand
It has also backdoor behaviour by listening commands on the ports 10168 and 20168.Last update 21 November 2011