What
is the Lovgate.N worm?
Lovgate.N is a variant of Lovgate. This
variant is also a mass-mailing worm that attempts
to email itself to all the email addresses it
finds in the system. The "sender" of
the email is spoofed, and its subject line and
message body of the email vary.
This worm also attempts to copy itself to all the
computers on a local network and the KaZaA shared
folder.
This threat is written in the C++ programming
language and is compressed with JDPack and ASPack.
Also known as: W32/Lovgate.p@MM
How
Does Lovgate.N Infect My System?
When Lovgate.N runs, it does the following:
- Creates a mutex "test_v2," which
allows only one instance of the worm to run in
memory.
- Copies itself as the following:
- %Windir%\Systra.exe
- %System%\iexplore.exe
- %System%\Winexe.exe
- %System%\RAVMOND.exe
- %System%\WinHelp.exe
- %System%\Kernel66.dll, with attributes
set to Read Only, Hidden, and System.
- Creates the following files:
- %System%\ODBC16.dll (53,760 bytes)
- %System%\msjdbc11.dll (53,760 bytes)
- %System%\MSSIGN30.DLL (53,760 bytes)
These files are all the same-they are
backdoor components of the worm.
- Modifies the (Default) value of the
registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
to:
%System%\winexe.exe %1
so that the worm runs when you open any .exe
file.
- Adds the values:
"Program in
Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"Winhelp"="%System%\WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Adds the value:
"Systemtra"="%Windir%\Systra.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that the worm runs as a service when you
start Windows.
- May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1
- On Windows 95.98/Me computers, modifies the
[windows] section of the %Windir%\Win.ini file
by adding the line:
run=%System%\RAVMOND.exe
- Registers itself as a service, allowing it
to continue running even if you log off.
- Creates the service, "NetMeeting Remote
Sharing," which is mapped to
"Rundll32.exe msjdbc11.dll
ondll_server."
- Terminates all the processes that contains
any of the following strings:
- KV
- KAV
- Duba
- NAV
- kill
- RavMon.exe
- Rfw.exe
- Gate
- McAfee
- Symantec
- SkyNet
- rising
- Runs a Backdoor routine on port 6000. The
routine steals the information of a
compromised system and stores it in the file,
C:\Netlog.txt. The worm then emails the stolen
information to the hacker.
- Locates the KaZaA file-shared folder though
a registry key and copies itself to the folder
as one of the following, with a .bat, .exe, .pif,
or .scr file extension:
- wrar320sc
- REALONE
- BlackIcePCPSetup_creak
- Passware5.3
- word_pass_creak
- HEROSOFT
- orcard_original_creak
- rainbowcrack-1.1-win
- W32Dasm
- setup
- <random file name>
- Copies itself to all the network-shared
folders and subfolders as any of the
following:
- Are you looking for Love.doc.exe
- autoexec.bat
- The world of lovers.txt.exe
- How To Hack Websites.exe
- Panda Titanium Crack.zip.exe
- Mafia Trainer!!!.exe
- 100 free essays school.pif
- AN-YOU-SUCK-IT.txt.pif
- Sex_For_You_Life.JPG.pif
- CloneCD + crack.exe
- Age of empires 2 crack.exe
- MoviezChannelsInstaler.exe
- Star Wars II Movie Full Downloader.exe
- Winrar + crack.exe
- SIMS FullDownloader.zip.exe
- MSN Password Hacker and Stealer.exe
- Scans all the computers on the local
network, using the following passwords to
attempt to log in as
"Administrator."
- Guest
- Administrator
- zxcv
- yxcv
- xxx
- win
- ......
Note: The worm will also attempt to
log in as "Administrator" if a
password is not set for the account on a
remote computer.
- If the worm successfully logs on to the
remote computer, it will attempt to copy
itself as:
\\<remote computer
name>\admin$\system32\NetManager.exe
and to start the file as the service, "
Windows Management NetWork Service
Extensions."
- Creates a network share, "GAME",
which points to "%windir%\java."
- Injects a process-watching routine as a
thread into either Explorer.exe or Taskmgr.exe.
This remote thread will launch %System32%\Iexplore.exe
if the worm process is stopped.
- Replies to all the incoming messages when
they arrive in the mailbox of certain
MAPI-compliant email clients, which include
Microsoft Outlook.
- Retrieves the email addresses from the files
with these extensions on drives C to Y, if the
drive is a hard drive or RAM drive:
- .txt
- .htm
- .sht
- .php
- .asp
- .dbx
- .tbb
- .adb
- .pl
- .wab
- Also, uses its own SMTP engine to send
itself to the email addresses it finds in step
20, above.
How to Remove the Lovgate.N worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Lovgate.N during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Lovgate.N, click Delete.
4. Reversing the changes made to the
registry
Because the worm modified the registry so that
you cannot run a .exe file without also running
the worm, first make a copy of the Registry
Editor as a file with the .com extension, and
then run the file.
- Do one of the following, depending on the
version of Windows you are running:
- Windows 95/98 users:
- Click Start.
- Point to Programs.
- Click the MS-DOS Prompt. (A DOS
window opens at the C:\Windows
prompt.) Proceed to step B of this
section.
- Windows Me users:
- Click Start.
- Point to Programs.
- Point to Accessories.
- Click the MS-DOS Prompt. (A DOS
window opens at the C:\Windows
prompt.) Proceed to step B of this
section.
- Windows NT/2000 users:
- Click Start, and then click Run.
- Type command, and then
press Enter. (A DOS window opens.)
- Type cd \winnt, and then
press Enter.
- Proceed to step 2 of this section.
- Windows XP users:
- Click Start, and then click Run.
- Type command, and then
press Enter. (A DOS window opens.)
- Type the following:
cd\
cd \windows
Press Enter after typing each one.
- Proceed to step B of this section.
- Type copy regedit.exe regedit.com
and then press Enter.
- Type start regedit.com
and then press Enter. (The Registry Editor
opens in front of the DOS window.)
After you finish editing the registry, exit
the Registry Editor, and then exit the DOS
window as well.
- Before continuing, Symantec strongly
recommends that you back up the registry
before making any changes to it. Incorrect
changes to the registry can result in
permanent data loss or corrupted files. Modify
the specified keys only.
- Navigate to and select the key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
NOTE: The HKEY_CLASSES_ROOT
key contains many subkey entries that refer to
other file extensions. One of these file
extensions is .exe. Changing this extension
can prevent any files ending with a .exe
extension from running. Make sure that you
completely browse through this path until you
reach the \command subkey.
Modify the HKEY_CLASSES_ROOT\exefile\shell\open\command
subkey, shown in the following figure:
<<=== NOTE: Modify this key.
- In the right pane, double-click the (Default)
value.
- Delete the current value data, and then
type:
"%1" %*
That is, type the characters:
quote-percent-one-quote-space-percent-asterisk.
NOTES
- Under Windows 95/98/Me/NT, the Registry
Editor automatically encloses the value
within quotation marks. When you click OK,
the (Default) value should look exactly
like this:
""%1" %*"
- Under Windows 2000/XP, the additional
quotation marks will not appear. When you
click OK, the (Default) value should look
exactly like this:
"%1" %*
- Make sure that you completely delete all
the value data in the command key before
typing the correct data. If you leave a
space at the beginning of the entry, any
attempt to run the program files will
result in the error message, "Windows
cannot find .exe." If this occurs,
restart the entire process from the
beginning of this document and make sure
that you completely remove the current
value data.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the values:
"Program in
Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"Winhelp"="%System%\WinHelp.exe"
- Do one of the following:
- If you are using Windows 95/98/Me,
proceed to the next step.
- If you are using Windows NT/2000/XP,
skip to step M.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
- In the right pane, delete the value:
"Systemtra"="%Windir%\Systra.exe"
- Exit the Registry Editor.
5. Editing the Win.ini file
If you are running Windows 95/98/Me, follow these
steps:
- The function you perform depends on your
operating system:
- Windows 95/98: Go to step B.
- Windows Me: If you are running
Windows Me, the Windows Me file-protection
process may have made a backup copy of the
Win.ini file that you need to edit. If
this backup copy exists, it will be in the
C:\Windows\Recent folder. Symantec
recommends that you delete this file
before continuing with the steps in this
section. To do this:
- Start Windows Explorer.
- Browse to and select the
C:\Windows\Recent folder.
- In the right pane, select the
Win.ini file and delete it. The
Win.ini file will be regenerated when
you save your changes to it in step F.
- Click Start, and then click Run.
- Type the following, and then click OK.
edit c:\windows\win.ini
(The MS-DOS Editor opens.)
NOTE: If Windows is installed in a
different location, make the appropriate path
substitution.
- In the [windows] section of the
file, look for a line similar to:
run=%System%\RAVMOND.exe
- If this line exists, delete everything to
the right of run=.
- Click File, and then click Save.
- Click File, and then click Exit.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Do
you think this website is useful? Help us to keep
the site growing.
Detect and Removal Instruction for Other
Worms - 'L':
|
