Worm:Win32/Lovgate.I@mm is a mass-mailing worm that sends itself as an e-mail attachment to addresses found on the infected computer. To spread via networks and file shares, Worm:Win32/Lovgate.I@mm copies itself to writeable network shares and shares protected by weak user name and password pairs. The worm opens a backdoor on infected systems and may send system passwords and other sensitive information to the worm's author.
Worm:Win32/Lovgate.I@mm spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes and also searches drives for .htm and .html files, sending a copy of itself to any mailto addresses found in those files.
When Worm:Win32/Lovgate.I@mm runs, it takes the following actions:
Copies itself to the Windows system folder as winrpc.exe or WinHelp.exe. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
Creates value: Runwinhelp
with data: <system folder>\winhelp.exe
or data: <system folder>winrpc.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copies itself to writeable network shares using the following file names:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
Worm:Win32/Lovgate.I@mm also drops a backdoor dll component. The file name of this dll may vary. Following are examples of the file names used by the worm:
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
The email composed by Worm:Win32/Lovgate.I@mm has the following characteristics:
Subject:
Send me your comments...
Reply to this!
Let's Laugh
Last Update
for you
Great
Attached one Gift for u..
Hi Dear
Message body:
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery software (Exim).
It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment names:
About_Me.txt
driver
Doom3 Preview!!!
enjoy
YOU_are_FAT!.TXT
Source
Interesting
README.TXT
images
Pics.ZIP
The attachment file names have the following extensions:
pif
scr
exe
Worm:Win32/Lovgate.I@mm uses a double extension ruse. Depending on system configuration, this may cause the extension to display as .txt.
