Installation
When Win32/Lovgate.V runs, it copies itself as "<system folder>\winhelp.exe". The registry is modified to run the dropped copy at each Windows start.
Adds value: winhelp
With data: "<system folder>\winhelp.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Network shares
Worm:Win32/Lovgate.V@mm uses a predefined list of weak usernames and passwords to gain access to network shares. If the worm can connect to a writable network share, it then copies itself using file names from the following predefined list:
Internet Explorer.bat
Documents and Settings.txt.exe
Microsoft Office.exe
Windows Media Player.zip.exe
Support Tools.exe
WindowsUpdate.pif
Cain.pif
MSDN.ZIP.pif
autoexec.bat
findpass.exe
client.exe
i386.exe
winhlp32.exe
xcopy.exe
mmc.exe
Removable drives
The worm attempts to copy itself as "command.exe" to the root of available removable drives. Worm:Win32/Lovgate.V@mm then writes an autorun configuration file named "autorun.inf" pointing to the file listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
E-mail as an attachment
Worm:Win32/Lovgate.V@mm uses a self-contained SMTP engine and sends itself as an e-mail attachment to addresses that it finds on the infected computer. The e-mail sender, subject line, message body text, and attachment name are fabricated. Following are examples of e-mails that this worm can send:
From: <spoofed>
Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: Macromedia Flash.scr
From: <spoofed>
Subject: Hi Dear
Message Body: Send me your comments...
Attachment: joke.pif
Payload
Terminates security-related processes
The worm may terminate security-related processes. In the wild, this worm was observed to execute the Windows utility "net.exe" to stop security-related services having the following strings:
rising
SkyNet
Symantec
McAfee
Rfw.exe
Below are examples of commands issued by the worm to stop services:
net stop "Symantec AntiVirus Client"
net stop "Symantec AntiVirus Server"
net stop "Rising Realtime Monitor Service"
Allows backdoor access and control
Worm:Win32/Lovgate.V@mm drops a trojan component having a .dll file extension as in the following examples:
<system folder>\odbc16.dll
<system folder>\msjdbc11.dll
<system folder>\mssign30.dll
This trojan component opens a backdoor to allow attackers to access and control the computer.
Analysis by Chengyun Chu
