Lovgate.X@mm opens up a FTP backdoor on the infected system, thereby allowing a possible sensitive information leak.
Several files are dropped by this variant, some of them are exact copies of the worm itself others are dll files that act as components and propagation tools.
When the worm gets control it starts by terminating the following services:
"Rising Realtime Monitor Service"
"Symantec AntiVirus Server"
"Symantec AntiVirus Client"
It also rolls through the active processes in memory and terminates the following processes that contain the following words in the process name:
rising, SkyNet,Symantec, McAfee, Gate, Rfw.exe, RavMon.exe, NAV, Duba, KAV, KV.
Opens up a backdoor on port 6000 and relays information about infected machines through that port and writes it to a file called netlog.txt located on the root of the C: drive.
Copies itself in the system directory under the name hxdef.exe, and puts itself in the registry to ensure it gets executed on every startup.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hardware Profile"="C:\\WINNT\\System32\\hxdef.exe"
The worm copies itself to the system directory undir the name Ravmond.exe and if running Win9x/ME, it modifies win.ini in such way that it will be executed on every startup.
If it does not find a file called iexplore.exe in the system directory it will copy itself there under that name. Puts itself in the registry to ensure it gets executed on every startup.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Program In Windows"="C:\\WINNT\\System32\\IEXPLORE.EXE"
Drops dll's under the following names in the system directory:
msjdbc11.dll
ODBC16.dll
MSSIGN30.DLL
Makes the MSSIGN30.DLL execute on every startup by launching rundll32.exe through the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VFW Encoder/Decoder Settings"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
Starts msjdbc11.dll up as a service under the name "Windows Management Protocol v.0 (experimental)"
Drops a file called NetMeeting.exe in the Windows system directory and executes it. Netmeeting.exe then drops a copy of itself in the Windows system directory undir the name of spollsv.exe. Netmeeting serves the purpose of exploiting the RPC DCOM vulnerability on remote computers. It skims for vulnerable computers using a randomly generated IP address. When the infected machine (computer 1) successfully exploits the vulnerability on another computer (computer 2) the newly infected computer (computer 2) starts up a ftp client to fetch a file called hxdef.exe from computer 1. The file hxdef.exe is a copy of the main worm. These keys are put in the registry to assure execution on every startup.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft NetMeeting Associates, Inc."="NetMeeting.exe"
"Shell Extension"="C:\\WINNT\\System32\\spollsv.exe"
The worm searches for e-mails in the mailbox and replies to them with the following message:
:>random name<wrote
< <the message body>
<
<
<
<
<domain name> account auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE (domain name) now! <
The worm uses the the names below as possible attachment names:
the hardcore game-.pif, Sex in Office.rm.scr, Deutsch BloodPatch!.exe, s3msong.MP3.pif, Me_nude.AVI.pif,
How to Crack all gamez.exe, Macromedia Flash.scr, SETUP.EXE, Shakira.zip.exe,
dreamweaver MX (crack).exe, StarWars2 - CloneAttack.rm.scr, Industry Giant II.exe,
DSL Modem Uncapper.rar.exe, joke.pif, Britney spears nude.exe.txt.exe, I am For u.doc.exe.
Also the worm harvests addresses and domains from the infected computer and sends out e-mails using those addresses, forging the senders address using gathered data and hard coded data.
The forged e-mails can have the following bodies, using random attachment names:
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!
Using the following extensions for the attachments.
.exe
.RAR
.ZIP
.com
.pif
.scr
The worm also creates a shared directory called "Media" in the Windows directory and skims the machine for shared directories and copies itself there using the following names:
WinRAR.exe, Internet Explorer.bat, Documents and Settings.txt.exe,
Microsoft Office.exe,Windows Media Player.zip.exe, Support Tools.exe, WindowsUpdate.pif, Cain.pif,MSDN.ZIP.pif,autoexec.bat, findpass.exe, client.exe, i386.exe, winhlp32.exe, xcopy.exe, mmc.exe.
To infect other computers the worm creates a single thread for every remote logon attempt, using a randomly crafted IP, the Administrator account and the following list for passwords:
zxcv, yxcv, xxx, xp, win, test123, test, temp123, temp,
sybase, super, sex, secret, pwd, pw123, pw, pc, Password, owner,
oracle, mypc123, mypc, mypass123,
mypass, love, login, Login, Internet, home, godblessyou, god,
enable, database, computer, alpha, admin123, Admin,
abcd, aaa, 88888888, 2600, 2004, 2003, 123asd, 123abc,
123456789, 1234567, 123123, 121212, 12, 11111111, 110, 007,
00000000, 000000, 0, pass, 54321, 12345, password, passwd,
server, sql, !@#$%^&*, !@#$%^&, !@#$%^, !@#$%, asdfgh, asdf, !@#$,
1234, 111, root, abc123, 12345678, abcdefg, abcdef, abc, 888888, 666666, 111111,
admin, administrator, guest, 654321, 123456, 321, 123
If the attempt is successful it copies the NetMeeting.exe file(see above), to the system32 directory of the remote machine and executes it as a service named Windows Management NetWork Service Extensions.
It also acts as a companion/overwriting virus. It creates a thread that goes skims trough all the drives and directories of the infected computer. When skimming through drives lower than c: it tries to replace other programs with itself. For example when it finds a file called dummy.exe it tries to rename that file to dummy.ZMX and copy itself in that directory as dummy.exe, so when dummy.exe is executed it the worm gets control. But in many cases this fails and the worm just plainly overwrites the files. Therefore destroying them so they'll have to be restored from backup.
When the skimming thread is active it skims through the drives it finds on the infected computer. It drops several files in the root drive of where it is located using several names with different extensions. The following names can be used
setup,WORK,install,bak,letter,pass,game,email,PassWord.
With the following extensions.
.exe
.RAR
.ZIP
.com
.pif
.scr
|
