Worm:Win32/Lovgate.S@mm is a mass-mailing worm that sends itself as an e-mail attachment to addresses found on the infected computer. To spread via networks and file shares, Worm:Win32/Lovgate.S@mm copies itself to writeable network shares and shares protected by weak user name and password pairs. The worm opens a backdoor on infected systems and may send system passwords and other sensitive information to the worm's author.
Worm:Win32/Lovgate.S@mm spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes and also searches drives for .htm and .html files, sending a copy of itself to any mailto addresses found in those files.
When Worm:Win32/Lovgate.S@mm runs, it takes the following actions:
Copies itself to the Windows system folder as winhelp.exe. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
Creates value: winhelp
with data: <system folder>\winhelp.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Copies itself to writeable network shares using the following file names:
PC-Cillin readme.txt.exe
Norton Antivirus crack.exe
AMD 2600 test.zip.exe
install.exe
Prescott.scr
256MFX5600.txt.pif
picture.JPG.pif
GBA-Shell.exe
SetUp.exe
ReadMe.exe
Zealot.exe
Backup Made Simple 5.1.58 crack.exe
Zealot All Video Splitter 1.1.9.zip.exe
CD-Cover Editor 2.6.exe
Worm:Win32/Lovgate.S@mm also drops a backdoor dll component. The file name of this dll may vary. Following are examples of the file names used by the worm:
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
The email composed by Worm:Win32/Lovgate.S@mm has the following characteristics:
Subject:
Send me your comments...
Cracks!
The patch
Last Update
Do not release
Evaluation copy
Message body:
> Get your FREE %s now! <
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
Attachment names:
the hardcore game
Sex in Office.rm
Deutsch BloodPatch!
s3msong.MP3
Me_nude.AVI
How to Crack all gamez
Macromedia Flash
SETUP
Shakira.zip
dreamweaver MX (crack)
StarWars2 - CloneAttack.rm
Industry Giant II
DSL Modem Uncapper.rar
joke.pif
Britney spears nude.exe.txt
I am For u.doc
The attachment file names have one of the following extensions:
pif
scr
exe
Worm:Win32/Lovgate.S@mm uses a double extension ruse, which may cause the extension to appear to display as one of the following:
rm
mp3
avi
rar
doc
txt
exe.txt
