FRISK Software International


Summary of W32/Lovgate.X@mm
Length: 128KB
Discovered: 5 April 2004
Definition files: 7 April 2004
Risk Level: Medium
Distribution:High
Infection Method:Companion/Overwriting, mass-mailing, RPC DCOM and over local networks.
Payload: Opens up a backdoor on the infected machine.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

Lovgate.X@mm uses several methods to propagate that include remote login connection attempts as Administrator, disquising itself in e-mail messages and using the RPC DCOM exploit that allows the attacker to execute code, remotely, on the victim's machine. It is packed with aspack, making the original file smaller and making it easier to infect computers using a low bandwith connection.

It opens up a FTP backdoor on the infected system, thereby allowing a possible sensitive information leak.
Several files are dropped by this variant, some of them are exact copies of the worm itself others are dll files that act as components and propagation tools.


Technical Description


Lovgate.X@mm opens up a FTP backdoor on the infected system, thereby allowing a possible sensitive information leak.
Several files are dropped by this variant, some of them are exact copies of the worm itself others are dll files that act as components and propagation tools.
When the worm gets control it starts by terminating the following services:

"Rising Realtime Monitor Service"
"Symantec AntiVirus Server"
"Symantec AntiVirus Client"



It also rolls through the active processes in memory and terminates the following processes that contain the following words in the process name:

rising, SkyNet,Symantec, McAfee, Gate, Rfw.exe, RavMon.exe, NAV, Duba, KAV, KV.


Opens up a backdoor on port 6000 and relays information about infected machines through that port and writes it to a file called netlog.txt located on the root of the C: drive.

Copies itself in the system directory under the name hxdef.exe, and puts itself in the registry to ensure it gets executed on every startup.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hardware Profile"="C:\\WINNT\\System32\\hxdef.exe"


The worm copies itself to the system directory undir the name Ravmond.exe and if running Win9x/ME, it modifies win.ini in such way that it will be executed on every startup.

If it does not find a file called iexplore.exe in the system directory it will copy itself there under that name. Puts itself in the registry to ensure it gets executed on every startup.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Program In Windows"="C:\\WINNT\\System32\\IEXPLORE.EXE"


Drops dll's under the following names in the system directory:

msjdbc11.dll
ODBC16.dll
MSSIGN30.DLL


Makes the MSSIGN30.DLL execute on every startup by launching rundll32.exe through the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VFW Encoder/Decoder Settings"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"


Starts msjdbc11.dll up as a service under the name "Windows Management Protocol v.0 (experimental)"

Drops a file called NetMeeting.exe in the Windows system directory and executes it. Netmeeting.exe then drops a copy of itself in the Windows system directory undir the name of spollsv.exe. Netmeeting serves the purpose of exploiting the RPC DCOM vulnerability on remote computers. It skims for vulnerable computers using a randomly generated IP address. When the infected machine (computer 1) successfully exploits the vulnerability on another computer (computer 2) the newly infected computer (computer 2) starts up a ftp client to fetch a file called hxdef.exe from computer 1. The file hxdef.exe is a copy of the main worm. These keys are put in the registry to assure execution on every startup.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft NetMeeting Associates, Inc."="NetMeeting.exe"
"Shell Extension"="C:\\WINNT\\System32\\spollsv.exe"


The worm searches for e-mails in the mailbox and replies to them with the following message:

:>random name<wrote
< <the message body>
<
<
<
<

<domain name> account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE (domain name) now! <


The worm uses the the names below as possible attachment names:

the hardcore game-.pif, Sex in Office.rm.scr, Deutsch BloodPatch!.exe, s3msong.MP3.pif, Me_nude.AVI.pif,
How to Crack all gamez.exe, Macromedia Flash.scr, SETUP.EXE, Shakira.zip.exe,
dreamweaver MX (crack).exe, StarWars2 - CloneAttack.rm.scr, Industry Giant II.exe,
DSL Modem Uncapper.rar.exe, joke.pif, Britney spears nude.exe.txt.exe, I am For u.doc.exe.

Also the worm harvests addresses and domains from the infected computer and sends out e-mails using those addresses, forging the senders address using gathered data and hard coded data.
The forged e-mails can have the following bodies, using random attachment names:

It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.


The message contains Unicode characters and has been sent as a binary attachment.


Mail failed. For further assistance, please contact!

Using the following extensions for the attachments.

.exe
.RAR
.ZIP
.com
.pif
.scr



The worm also creates a shared directory called "Media" in the Windows directory and skims the machine for shared directories and copies itself there using the following names:

WinRAR.exe, Internet Explorer.bat, Documents and Settings.txt.exe,
Microsoft Office.exe,Windows Media Player.zip.exe, Support Tools.exe, WindowsUpdate.pif, Cain.pif,MSDN.ZIP.pif,autoexec.bat, findpass.exe, client.exe, i386.exe, winhlp32.exe, xcopy.exe, mmc.exe.

To infect other computers the worm creates a single thread for every remote logon attempt, using a randomly crafted IP, the Administrator account and the following list for passwords:

zxcv, yxcv, xxx, xp, win, test123, test, temp123, temp,
sybase, super, sex, secret, pwd, pw123, pw, pc, Password, owner,
oracle, mypc123, mypc, mypass123,
mypass, love, login, Login, Internet, home, godblessyou, god,
enable, database, computer, alpha, admin123, Admin,
abcd, aaa, 88888888, 2600, 2004, 2003, 123asd, 123abc,
123456789, 1234567, 123123, 121212, 12, 11111111, 110, 007,
00000000, 000000, 0, pass, 54321, 12345, password, passwd,
server, sql, !@#$%^&*, !@#$%^&, !@#$%^, !@#$%, asdfgh, asdf, !@#$,
1234, 111, root, abc123, 12345678, abcdefg, abcdef, abc, 888888, 666666, 111111,
admin, administrator, guest, 654321, 123456, 321, 123



If the attempt is successful it copies the NetMeeting.exe file(see above), to the system32 directory of the remote machine and executes it as a service named Windows Management NetWork Service Extensions.


It also acts as a companion/overwriting virus. It creates a thread that goes skims trough all the drives and directories of the infected computer. When skimming through drives lower than c: it tries to replace other programs with itself. For example when it finds a file called dummy.exe it tries to rename that file to dummy.ZMX and copy itself in that directory as dummy.exe, so when dummy.exe is executed it the worm gets control. But in many cases this fails and the worm just plainly overwrites the files. Therefore destroying them so they'll have to be restored from backup.


When the skimming thread is active it skims through the drives it finds on the infected computer. It drops several files in the root drive of where it is located using several names with different extensions. The following names can be used

setup,WORK,install,bak,letter,pass,game,email,PassWord.


With the following extensions.

.exe
.RAR
.ZIP
.com
.pif
.scr


Removal Instructions
For general removal instructions please click here.

Guidelines on Safe Computing
  • Make sure you always have the latest version of F-Prot Antivirus installed on your computer and update the virus signature files regularly:


  • Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.


  • Make sure that your operating system is up-to-date. If you are using Windows, use Windows Automatic Updates and download the service packs when they are released. For more information on keeping Windows up-to-date, please visit Microsoft's Windows Update web site.


  • If you are using Internet Explorer / Outlook Express or Office / Outlook, make sure that you always have the latest versions. Old versions may contain security holes that are used by virus writers to access your computer. Please visit Microsoft's Windows Update web site to update Internet Explorer and Outlook Express and Microsoft's Office Update web site to update Office and Outlook.


  • Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and possible malicious content on the Internet. For more information click here.


  • Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.


  • Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.


  • Use software that detects ad-ware and spyware. For more information click here.

Ragnar Gisli, Senior Virus Researcher
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is