Worm:Win32/Lovgate.AC@mm is a mass-mailing worm that sends itself as an e-mail attachment to addresses found on the infected computer. To spread via networks and file shares, Worm:Win32/Lovgate.AC@mm copies itself to writeable network shares and shares protected by weak user name and password pairs. The worm opens a backdoor on infected systems and may send system passwords and other sensitive information to the worm's author.
Worm:Win32/Lovgate.AC@mm spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes and also searches drives for .htm and .html files, sending a copy of itself to any mailto addresses found in those files.
When Worm:Win32/Lovgate.AC@mm runs, it takes the following actions:
Copies itself to the Windows system folder using one of the following filenames:
WinHelp.exe
winrpc.exe
Note: The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
Creates value: winhelp
with data: <system folder>\winhelp.exe
Creates value: winrpc
with data: <system folder>\winrpc.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copies itself to writeable network shares using the following file names:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
To access protected shares, the worm tries to guess username and password combinations using the following list:
Guest
Administrator
test123
temp123
sybase
super
secret
pw123
Password
owner
oracle
mypc123
mypass123
mypass
login
Login
Internet
godblessyou
enable
database
computer
alpha
admin123
Admin
88888888
123asd
123abc
123456789
1234567
123123
121212
11111111
00000000
000000
54321
12345
password
passwd
server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
abc123
12345678
abcdefg
abcdef
888888
666666
111111
admin
administrator
guest
654321
123456
Worm:Win32/Lovgate.AC@mm also drops a backdoor dll component. The file name of this dll may vary. Following are examples of the file names used by the worm:
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
The email composed by Worm:Win32/Lovgate.AC@mm has the following characteristics:
Subject:
Reply to this!
Let's Laugh
Last Update
for you
Great
Attached one Gift for u..
Hi Dear
See the attachement
Message body:
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his 7 and 6 victory over Stephen Leaney. (AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery software (Exim).
It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment names:
About_Me.txt
driver
Doom3 Preview!!!
enjoy
YOU_are_FAT!.TXT
Source
Interesting
README.TXT
images
Pics.ZIP
The attachment file names have the following extensions:
pif
scr
exe
Worm:Win32/Lovgate.AC@mm uses a double extension ruse, which may cause the extension to display as .txt or .zip.
