What is the Lovgate.AD worm?

Lovgate.AD, the new variant of W32/Lovgate is packed multiple times.

Again, the backdoor component this variant drops is already detected as BackDoor-AQJ since the 4339 DATs.

Like its predecessors, this worm bears the following characteristics:

• drops a backdoor component
• attempts to copy itself to accessible or poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
• creates a share on the victim machine (share name "MEDIA").
• mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
• performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
• terminates processes associated with various AV and security products

Also known as: I-Worm.Lovgate.ae, W32.Lovgate.Y@mm

How to Remove the Lovgate.AD worm?

Using powerful McAfee VirusScan 2004 to remove Lovgate.AD and any other viruses.

1. If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore before virus scan. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to Disable System Restore in Windows ME or Windows XP.
    
2. Before continuing, we strongly recommends that you back up the registry before making any changes to it.
    
   • Click Start > Run.
   • Type regedit
     
     Then click OK.
     
     
   • Navigate to the key:
     
     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
     
     
   • In the right pane, delete the values:
     
     • "Winhelp" = "%system%\TkBellExe.exe..."
     • "Hardware Profile" = "%system%\hxdef.exe..."  
     • "Program in Windows"="%system%\IEXPLORE.exe"  
     • "Microsoft NetMeeting Associates, Inc." = "NetMeeting.exe"  
     • "Protected Storage"="RUNDLL32.exe MSSIGN30.DLL ondll_reg..."  
     • "VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"  
     • "WinHelp"="%system%\WinHelp.exe"  
     • "Shell Extension" = "%system%\spollsv.exe"  
       
       
   • Do one of the following:
     • If you are using Windows NT/2000/XP, skip to step h.
     • If you are using Windows 95/98/Me, proceed with step f.
       
       
   • Navigate to the key:
     
     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
     RunServices
     
     
   • In the right pane, delete the values:
     
     "SystemTra"="%Windir%\SysTra.exe"
     "COM++ System" = "svchost.exe..."
     
     When you have deleted these values, proceed with step j.
     
     
   • Navigate to the key:
     
     HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
     
     
   • In the right pane, delete the value:
     
     "run"="RAVMOND.exe"
     
     
   • Navigate to the key:
     
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
     
     
   • In the left hand pane, delete the subkeys:
     
     _reg
     
     Windows Management Protocol v.0(experimental
     
     
   • Exit the Registry Editor.
     
     
   • Do one of the following:
     • If you are using Windows NT/2000/XP, skip to section 6, "To scan for and delete the infected files."
     • If you are using Windows 95/98/Me, proceed with section 5.

    

3. If you are running Windows 95/98/Me, follow these steps:

1. The function you perform depends on your operating system:
   • Windows 95/98: Go to step B.
   • Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Win.ini file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:
     1. Start Windows Explorer.
     2. Browse to and select the C:\Windows\Recent folder.
     3. In the right pane, select the Win.ini file and delete it. The Win.ini file will be regenerated when you save your changes to it in step F.
        
        
2. Click Start > Run.
3. Type the following:
   
   edit c:\windows\win.ini
   
   and then click OK.
   
   (The MS-DOS Editor opens.)
   
   Note: If Windows is installed in a different location, make the appropriate path substitution.
   
   
4. In the [windows] section of the file, look for a line similar to:
   
   run=ravmond.exe
   
   
5. If this line exists, delete everything to the right of run=
   
   
6. Click File > Save.
7. Click File > Exit.

   4.    Scan for and delete the infected files using powerful McAfee VirusScan 2004.

1. Follow the instructions for your operating system:
   
   • Windows 98/Me/2000
     
     1. On the Windows desktop, click the Start button > Find or Search > Files or Folders.
     2. In the Search Results window, set "Look in" to the first removable, mapped, or fixed drive type with a drive letter greater than E.
     3. Check Include subfolders.
     4. In the "Named" or "Search for..." box, type, or copy and paste, the following:
        
        *.zmx
        
        
     5. Click Find Now or Search Now.
        
        
   • Windows XP
     
     1. On the Windows desktop, click the Start button > Search.
     2. Click All files and folders.
     3. In the All or part of the file name box, type, or copy and paste, the following:
        
        *.zmx
        
        
     4. Verify that "Look in" is set to the first removable, mapped, or fixed drive type with a drive letter greater than E.
     5. Click More advanced options.
     6. Select Search system folders.
     7. Select Search subfolders.
     8. Select Search hidden files and folders.
     9. Click Search.
        
        
2. For every file that is found, right click it, select Rename, and then change the .zmx extension to .exe.
   
   
3. Repeat step 6 for every removable, mapped, or fixed drive type with a drive letter greater than E.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select McAfee VirusScan 2004 to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Worms - 'L':