Threat behavior
Worm:Win32/Lovgate.B@mm is a mass-mailing worm that sends itself as an e-mail attachment to addresses found on the infected computer. To spread via networks and file shares, Worm:Win32/Lovgate.B@mm copies itself to writeable network shares and shares protected by weak user name and password pairs. The worm opens a backdoor on infected systems and may send system passwords and other sensitive information to the worm's author.
Worm:Win32/Lovgate.B@mm spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes and also searches drives for .htm and .html files, sending a copy of itself to any mailto addresses found in those files.
When Worm:Win32/Lovgate.B@mm runs, it takes the following actions:
Copies itself to the Windows system folder as winrpc.exe or syshelp.exe. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
Creates value: syshelp
with data: <system folder>\syshelp.exe
or data: <system folder>\winrpc.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copies itself to writeable network shares using the following file names:
fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe
Worm:Win32/Lovgate.B@mm also drops a backdoor dll component. The file name of this dll may vary. Following are examples of the file names used by the worm:
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
The email composed by Worm:Win32/Lovgate.B@mm has the following characteristics:
Subject:
Last Update
Do not release
Evaluation copy
Message body:
Check our list and mail your requests!
I think all will work fine.
This is the last cumulative update.
This is the pack ;)
Send reply if you want to be official beta tester.
I'm going crazy... please try to find the bug!
Test it 30 days for free.
Adult content!!! Use with parental advisory.
Test this ROM! IT ROCKS!.
Send me your comments...
The attachment file names may vary and use one of the following extensions:
pif
scr
exe
Prevention
