Virus Profile: W32/Lovgate.c@M

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/23/2003
Date Added: 2/23/2003
Origin: Unknown
Length: 78,848 bytes
Type: Virus
Subtype: Worm
DAT Required: 4249
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of the Registry key values mentioned as above.
  • Presence of the files mentioned as above.
  • TCP Port 10168, 20168, and/or 1192 open on the victim machine.

Methods of Infection

The worm propagates via email (it contains its own SMTP engine) and over network shares. It copies itself to folders/subfolders on open shares, and replies to messages in the user inbox. Additionally, it drops a backdoor component (port 10168, and 1192 on NT based systems, is opened on victim machines).

When executed, it copies itself to the %System% folder as:

  • WinGate.exe
  • rpcsrv.exe
  • syshelp.exe
  • winrpc.exe
  • WinRpcsrv.exe

The backdoor component (77,824 bytes) is also dropped to the %System% directory (multiple times with various filenames):

  • 1.dll
  • reg.dll
  • ily.dll
  • task.dll

(Note: %System% is the Windows System folder, which is usually C:\Windows\System on Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"syshelp" = C:\WINDOWS\SYSTEM\syshelp.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinGate initialize" = C:\WINDOWS\SYSTEM\WinGate.exe -remoteshell

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run" = rpcsrv.exe

A system startup hook is also added for the backdoor component:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Module Call initialize" = RUNDLL32.EXE reg.dll ondll_reg

The following Registry key is modified to hook the execution of text files:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = "winrpc.exe %1"

When executed on Windows NT/2000/XP, the worm installs itself as a service, with the display name 'Window Remote Service' (set to run the copy of the worm with the filename WINRPCSRV.EXE). One of the dropped backdoor components (TASK.DLL) is also installed as two services, with the following display names:

  1. dll_reg
  2. Windows Management Extension
The virus can also install itself as a service with the display name:
  1. Window Remote Service

The worm also modifies the WIN.INI by adding a 'Run' command as follows:

[windows]
run=rpcsrv.exe

Aliases

I-Worm.Supnot.c (AVP), W32.HLLW.Lovgate.C@mm (NAV) , W32.HLLW.Lovgate@mm, W32/Lovgate.c@M, WORM_LOVGATE.C (Trend)
   

Virus Characteristics

--- Update February 28, 2003 ---
The risk assessment was lowered to Low-Profiled due to a decrease in prevalence over the past few days.

This is a mailing worm, that also spreads via network shares, and drops a remote-access trojan. The worm has similarities to W32/Plage.worm in that it drops the same files on the victim's machine and the message, which is sent out by the worm. Major difference is that W32/Lovgate family is compiled with MSVC while W32/Plage was created with BorlandC.

Mailing Component

The worm is capable of sending a reply to all new messages found in the user's inbox (Outlook and Outlook Express) by using its own SMTP engine and the server smtp.163.com. It will also attach itself to the message using one of the following names:

  • fun.exe
  • images.exe
  • news_doc.exe
  • s3msong.exe
  • pics.exe
  • billgt.exe
  • midsong.exe
  • PsPGame.exe
  • hamster.exe
  • setup.exe
  • tamagotxi.exe
  • joke.exe
  • docs.exe
  • searchurl.exe
  • card.exe
  • pics.exe
This kind of message-replying propagation strategy would make this worm spread slower than classic mass-mailers and this is reflected in the '@M' suffix.

If, for example, you have a message in your INBOX from '???@wherever.com' the worm will reply to the message as follows:

'name' wrote:
====

> Message body

====

 wherever.com account auto-reply:

  ' I'll try to reply as soon as possible.
  Take a look at the attachment and send me your opinion!'

      > Get your Free wherever.com account now! <

Aside from replying to messages, under certain conditions the worm may harvest email addresses found within *.HT* files in the %Personal% shell folder. Messages sent to those recipients may appear as follows:

Subject: Cracks!
Body: Check our list and mail your requests!
Attachment: CrkList.exe
or
Subject: The patch
Body: I think all will work fine.
Attachment: Patch.exe
or
Subject: Last Update
Body: This is the last cumulative update.
Attachment: LUPdate.exe
or
Subject: Do not release
Body: This is the pack ;)
Attachment: Pack.exe
or
Subject: Beta
Body: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe
or
Subject: Help
Body: I'm going crazy... please try to find the bug!
Attachment: Source.exe
or
Subject: Evaluation copy
Body: Test it 30 days for free.
Attachment: Setup.exe
or
Subject: Pr0n!
Body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe
or
Subject: Roms
Body: Test this ROM! IT ROCKS!
Attachment: Roms.exe
or
Subject: Documents
Body: Send me your comments...
Attachment: Docs.exe

Worm Component

The worm has capabilities of propagating through network shares. It enumerates network shares and copies itself recursively to folders/subfolders, using the following filenames:

  • fun.exe
  • images.exe
  • news_doc.exe
  • s3msong.exe
  • pics.exe
  • billgt.exe
  • midsong.exe
  • PsPGame.exe
  • hamster.exe
  • setup.exe
  • tamagotxi.exe
  • joke.exe
  • docs.exe
  • searchurl.exe
  • card.exe
  • pics.exe

Backdoor Component

The worm drops a trojan component (77,824 bytes) with the following filenames: ILY.DLL, 1.DLL, REG.DLL and TASK.DLL.

The backdoor opens TCP port 10168 on the computer. It may also open the following ports, and will send an email notification to the hacker that the computer has been compromised.

  • 1192
  • 20168
The following addresses are intended as the notification recipients:

hacker117@163.com
hello_dll@163.com

Information about the infected machine is also sent to the hacker. This information may include the system password. Detection for the backdoor is included in the 4249 DATs as BackDoor-AQJ.

   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). However, the 4249 and 4250 DAT files contain instructions to reset the TXTFILE SHELL OPEN COMMAND to C:\WINDOWS\NOTEPAD.EXE. This is the incorrect path on some systems. This will be corrected in the 4251 DAT files. Additionally the 4.2.40 engine and 4250 DAT files are required to remove the registry keys associated with the virus/backdoor. This registry script (FixLovgate.reg) will correct the TXTFILE key value, remove the keys associated with the services, and remove the run keys.

The 1.DLL file is injected into the LSASS.EXE process, which prevents it from being deleted. This file will be detected as BackDoor-AQJ, but requires a reboot for the removal to complete. Stinger can be used to remove W32/Lovgate@M and BackDoor-AQJ completely, without requiring a reboot.

The 4.2.40 engine, or Stinger, is required to remove the registry keys associated with the virus/trojan running as a service.

Additional Windows ME/XP removal considerations