FRISK Software International


Summary of W32/Lovelorn@mm
Alias:Cailont, Nolor
Length: 101.888 bytes
Discovered: 29 Apr 2003
Definition files: 30 Apr 2003
Risk Level: Low
Distribution:Low
Infection Method:Spreads through e-mails containing infected attachments
Payload: Can cause leak of sensitive information such as user login/passwords, disables Windows File Protection
 
Jump to:
Brief description
Technical description

Brief Description
The Lovelorn.A@mm is a mass-mailing worm. This worm tries to gather private information such as user-login / password exchange and send it to an remote address. It drops the following files to the system directory:

netdll.dll
setup.htm     HTML file, contains the worms body in hex, along with a script for extraction.
Netsn.dll       Contains a Base64 encoded copy of the worm
Bsbk.dll
kernel32.exe
serscg.dll
explorer.exe


The worm adds a autorun-key to the registry:
Under WindowsNT/2000/XP it creates the following key:
[HKEY_USERS\{USER_ID}\Software\Microsoft\Windows\CurrentVersion\Run]
"explorer"="%systemdir%\explorer.exe"
Under Windows 9x system the following key is created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"explorer" = "%systemdir%\explorer.exe


The Lovelorn.A@mm searches the c:\ drive, for any file with .eml or .dbx extension that contain the words "item" or "box" in their names. It also searches for files with a .htm extension.
Starting from c:\*.*, the searches each file and subdirectory it might find. If they are present, the worm will execute the same routine for both d:\*.* and e:\*.*

The worms SMTP routine, enables the worm to connect and send e-mails using external SMTP servers. Once it has connected to a SMTP server, it sends out an infected e-mail to the address the worm is currently processing. Typical e-mails sent by the Lovelorn.A@mm worm, look like the ones below:

From: "lovelorn" lovelorn@yahoo.com
To: E-mail address
Subject: Re: Get Password mail...
Reply-To: Lovelorn@yahoo.com
Body: Read File attach.
Attachment: Lovelorn.Kiss.ok.exe


From: "lovelorn" lovelorn@yahoo.com
To: E-mail address
Subject: There're some Passwords here
Reply-To: lovelorn@yahoo.com
Body: Enjoy
Attachment: lovelorn.htm


The worm uses two other faked "From:" addresses, "thuyquyen@yahoo.com" and "love_lorn@yahoo.com".
The attachments sent by Lovelorn.A@mm are either an executable copy of the virus (with an .exe extension) or a HTML dropper (with an .htm extension).


Technical Description
The Lovelorn.A@mm is a mass-mailing worm, with the size of 101.888 bytes. This worm does at times append extra data to the end of its body, thus the size varies between 101.888 and 103.509 bytes.

On initial startup the worm body contains a function, which depending on the system date chooses a couple of subjects and bodies which are used when the worm attempts so send out infected e-mails. It decodes the addresses of external mail servers as well as the e-mail address where gathered information from the infected computer are sent to later on.

On 2000/XP systems, it will disable the "Windows File Protection" (WFP) as a precaution due to the nature of its actions. The worm does this by modifying the following registry value:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
from 00000000 to FFFFFF9D

Lovelorn compares the names of running processes to that of an anti-virus software from Vietnam. If the worm detects that software running in memory, it tries to terminate it.

The worm then retreives the system directory on the infected computer, and drops the following files to that location:
%systemdir%\netdll.dll
%systemdir%\setup.htm     HTML file, contains the worms body in hex, along with a script for extraction.
%systemdir%\Netsn.dll       Contains a Base64 encoded copy of the worm
%systemdir%\Bsbk.dll

The worm copies the netdll.dll in the same system directory as under the names of:

%systemdir%\kernel32.exe
%systemdir%\serscg.dll
%systemdir%\explorer.exe

The worm tries to retreive the icon of Windows "explorer.exe" and if successful updates the worms "explorer.exe" with that same icon, the same applies for the copy of kernel32.exe which the worm tries to update with the icon of rundll32.exe.

Lovelorn.A@mm executes a routine, intended to gather possible logins from the infected computer to the domain of yahoo.com. The worm examines each entry, which has been cashed by any previous web browsing and compares those entries to couple of strings, which match the login-procedure to the yahoo.com domain. If it finds a match, that entry is stored, and later sent to a remote address along with other data which the worm gathers.


To ensure that the worm is run at startup each time the user logs in to the infected computer, it creates a run-key in the registry which points to the Lovelorn explorer.exe:

Under WindowsNT/2000/XP it creates the following key:
[HKEY_USERS\{USER_ID}\Software\Microsoft\Windows\CurrentVersion\Run]
"explorer"="%systemdir%\explorer.exe"

Under Windows 9x system the following key is created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"explorer" = "%systemdir%\explorer.exe


Before starting its search routine, the worm executes the kernel32.exe copy and leaves it running in memory. While running in memory, the worm attempts to gather information such as users login/password exchange from certain programs. The Lovelorn.A@mm worm targets couple of software programs for this routine, Microsoft Outlook and Outlook Express, the NetCaptor web-browser, mIRC, AOL instant messenger as well as the Yahoo Ypager.
The worm monitors the floppy drive for on-access event, when such event is detected the worm copies itself to the floppy drive under the name of "NQH_Kiss_you.exe", if that file is already present the worm overwrites it. This routine is buggy, and may not work on Windows 9x based systems.

The Lovelorn.A@mm searches the c:\ drive, for any file with .eml or .dbx extension that contain the words "item" or "box" in their names. It also searches for files with a .htm extension. The worm scans the root directory of the harddrive (c:\*.*) as well as all subdirectories. If they are present, the worm will search the [d:] and [e:] drives in the same manner. Once the worm locates a file matching the requirements above, it runs a naive string-comparison function which tries to isolate any e-mail address that the file might contain. As soon as an e-mail address is found, the worm attempts to send out an infected message to that address.

The worms SMTP routine, enables the worm to connect and send e-mails using external SMTP servers. Once it has connected to a SMTP server, it sends out an infected e-mail to the address the worm is currently processing. Typical e-mails sent by the Lovelorn.A@mm worm, look like the ones below:

From: "lovelorn" lovelorn@yahoo.com
To: E-mail address
Subject: Re: Get Password mail...
Reply-To: Lovelorn@yahoo.com
Body: Read File attach.
Attachment: Lovelorn.Kiss.ok.exe


From: "lovelorn" lovelorn@yahoo.com
To: E-mail address
Subject: There're some Passwords here
Reply-To: lovelorn@yahoo.com
Body: Enjoy
Attachment: lovelorn.htm


Other strings used either as the e-mail subject or body are:
"Help..."
"Re:baby!your friend send this file to you !"
"HELP??-"
"Enjoy"
"Read File attach"
"Re:Get Password mail..."
"run File Attach to extract:BinladenSexy.jpg"
"Enjoy! BINLADEN:SEXY..."
"Re:Binladen_Sexy.jpg"
"The SExy story and 4 sexy picture of BINLADEN !"
"Souvenir for you from file attach..."
"See the Greeting-card"
"Re:I Love You...OKE!".
"A Greeting-card for you ."
"Read file attach"
"I like Sexy with you."
"Re:Kiss you.. ^@^"
"Guide to fuck ..."
"Play the game from file attach"
"Help."
"Re:Baby! 2000USD,Win this game..."

The worm uses two other faked "From:" addresses, "thuyquyen@yahoo.com" and "love_lorn@yahoo.com".
The attachments sent by Lovelorn.A@mm are either an executable copy of the virus (with an .exe extension) or a HTML dropper (with an .htm extension).

The worm keeps all addresses which he has successfully sent e-mails to, in a plain-text file under the name of "mssys.dll" located in the system directory.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is