What
is the Lovgate.O worm?
Lovgate.O is a variant of Lovgate. This
variant is also a mass-mailing worm that attempts
to reply to all the email messages in the
Microsoft Outlook Inbox.
The "sender" of the email is spoofed
and its subject line and message vary. The
attachment name varies with a .exe, .pif, or .scr
file extension.
This worm also attempts to copy itself to all the
computers on a local network and to the Kazaa-shared
folders.
Also known as: I-Worm.LovGate.t, W32/Lovgate.s@MM
How
Does Lovgate.O Infect My System?
When Lovgate.O runs, it does the following:
- Copies itself as the following:
- %Windir%\Systra.exe
- %System%\iexplore.exe
- %System%\Media32.exe
- %System%\RAVMOND.exe
- %System%\WinHelp.exe
- %System%\Kernel66.dll, with attributes
set to Read Only, Hidden, and System.
- Creates a file named AUTORUN.INF in the root
folder of all the drives, except the CD-ROM
drives, and copies itself as COMMAND.EXE into
that folder.
- Creates a zip file
<filename>.<ext> in the root
folder of all the drives, unless the drive
letter is A or B.
<filename> is one of the following:
- WORK
- setup
- Important
- bak
- letter
- pass
and <ext> is one of the following:
- RAR
- ZIP
This zip file contains a copy of the worm
with the file name
<filename>.<ext>.
<filename> is one of the following:
- WORK
- setup
- Important
- book
- email
- PassWord
and <ext> is one of the following:
- exe
- com
- pif
- scr
- Creates the following files:
- %System%\ODBC16.dll (53,760 bytes)
- %System%\msjdbc11.dll (53,760 bytes)
- %System%\MSSIGN30.DLL (53,760 bytes)
These files are all the same-they are
backdoor components of the worm.
- Modifies the (Default) value of the
registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
to:
%System%\Media32.exe "%1" %*
so that the worm runs when you execute
any .exe files.
- Terminates all the processes that contains
any of the following strings:
- KV
- KAV
- Duba
- NAV
- kill
- RavMon.exe
- Rfw.exe
- Gate
- McAfee
- Symantec
- SkyNet
- rising
- Adds the values:
"Program in
Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"WinHelp"="%system%\WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Adds the value:
"Systemtra"="%Windir%\Systra.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that the worm runs as a service when you
start Windows.
- May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1
- Adds the value:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows
so that the worm runs when you start Windows.
- Creates the service, "Windows
Management Protocol v.0 (experimental),"
which is mapped to "Rundll32.exe
msjdbc11.dll ondll_server."
- Runs a Backdoor routine on port 6000. The
routine steals the information of a
compromised system and stores it in the file,
C:\Netlog.txt. The worm then sends the stolen
information to an email address.
- Locates the KaZaA file-shared folder though
a registry key and copies itself to the folder
as one of the following, with a .bat, .exe, .pif,
or .scr file extension:
- wrar320sc
- REALONE
- BlackIcePCPSetup_creak
- Passware5.3
- word_pass_creak
- HEROSOFT
- orcard_original_creak
- rainbowcrack-1.1-win
- W32Dasm
- setup
- <random file name>
- Copies itself to all the network-shared
folders and subfolders as any of the
following:
- CD-Cover Editor 2.6.exe
- Zealot All Video Splitter 1.1.9.zip.exe
- Backup Made Simple 5.1.58 crack.exe
- Zealot.exe
- ReadMe.exe
- SetUp.exe
- GBA-Shell.exe
- picture.JPG.pif
- 256MFX5600.txt.pif
- Prescott.scr
- install.exe
- AMD 2600 test.zip.exe
- Norton Antivirus crack.exe
- PC-Cillin readme.txt.exe
- command.com
- NTDETECT.COM
- Scans all the computers on the local
network, using the following passwords to
attempt to log in as an Administrator:
- Guest
- Administrator
- zxcv
- yxcv
- xxx
- win
- ......
Note: The worm will also attempt to
log in as "Administrator" if a
password is not set for the account on a
remote computer.
- If the worm successfully logs on to the
remote computer, it will attempt to copy
itself as:
\\<remote computer
name>\admin$\system32\NetManager32.exe
and to start the file as the service,
"Management Service Extension"
- Creates a network share, "Media,"
which points to "%Windir%\Media."
- Injects a process-watching routine as a
thread into either Explorer.exe or Taskmgr.exe.
This remote thread will launch %System32%\Iexplore.exe
if the worm process is stopped.
- Replies to all the incoming messages when
they arrive in the mailbox of certain
MAPI-compliant email clients, which include
Microsoft Outlook.
- Scans all the drives, if the drive type is
removable, mapped, or the drive type is fixed
with a drive letter greater than E.
The worm will do the following on all the
drives found:
- Attempt to rename the extension on all
the .exe files to .zmx.
- Set the attributes to Hidden and System
on these files.
- Copy itself as the original file name.
For example, if the worm finds
OriginalFile.exe, it will be renamed to
OriginalFile.zmx. The worm will then copy
itself as OriginalFile.exe.
How to Remove the Lovgate.O worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Lovgate.O during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Lovgate.O, click Delete.
4. Reversing the changes made to the
registry
Because the worm modified the registry so that
you cannot run a .exe file without also running
the worm, first make a copy of the Registry
Editor as a file with the .com extension, and
then run the file.
- Do one of the following, depending on the
version of Windows you are running:
- Windows 95/98 users:
- Click Start.
- Point to Programs.
- Click the MS-DOS Prompt. (A DOS
window opens at the C:\Windows
prompt.) Proceed to step B of this
section.
- Windows Me users:
- Click Start.
- Point to Programs.
- Point to Accessories.
- Click the MS-DOS Prompt. (A DOS
window opens at the C:\Windows
prompt.) Proceed to step B of this
section.
- Windows NT/2000 users:
- Click Start, and then click Run.
- Type command, and then
press Enter. (A DOS window opens.)
- Type cd \winnt, and then
press Enter.
- Proceed to step B of this section.
- Windows XP users:
- Click Start, and then click Run.
- Type command, and then
press Enter. (A DOS window opens.)
- Type the following:
cd\
cd \windows
Press Enter after typing each one.
- Proceed to step B of this section.
- Type copy regedit.exe regedit.com
and then press Enter.
- Type start regedit.com
and then press Enter. (The Registry Editor
opens in front of the DOS window.)
After you finish editing the registry, exit
the Registry Editor, and then exit the DOS
window as well.
- Before continuing, Symantec strongly
recommends that you back up the registry
before making any changes to it. Incorrect
changes to the registry can result in
permanent data loss or corrupted files. Modify
the specified keys only.
- Navigate to and select the key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
NOTE: The HKEY_CLASSES_ROOT
key contains many subkey entries that refer to
other file extensions. One of these file
extensions is .exe. Changing this extension
can prevent any files ending with a .exe
extension from running. Make sure that you
completely browse through this path until you
reach the \command subkey.
Modify the HKEY_CLASSES_ROOT\exefile\shell\open\command
subkey, shown in the following figure:
<<=== NOTE: Modify this key.
- In the right pane, double-click the (Default)
value.
- Delete the current value data, and then
type:
"%1" %*
That is, type the characters:
quote-percent-one-quote-space-percent-asterisk.
NOTES
- Under Windows 95/98/Me/NT, the Registry
Editor automatically encloses the value
within quotation marks. When you click OK,
the (Default) value should look exactly
like this:
""%1" %*"
- Under Windows 2000/XP, the additional
quotation marks will not appear. When you
click OK, the (Default) value should look
exactly like this:
"%1" %*
- Make sure that you completely delete all
the value data in the command key before
typing the correct data. If you leave a
space at the beginning of the entry, any
attempt to run the program files will
result in the error message, "Windows
cannot find .exe." If this occurs,
restart the entire process from the
beginning of this document and make sure
that you completely remove the current
value data.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the values:
"Program in
Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"Winhelp"="%System%\WinHelp.exe"
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
- In the right pane, delete the value:
"Systemtra"="%Windir%\Systra.exe"
- Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows
- In the right pane, delete the value:
"run"="RAVMOND.exe"
- Exit the Registry Editor.
5. Renaming the .zmx files to the .exe files
As Lovgate.O modifies the .exe files, correct
this for relevant programs to function correctly.
- Follow the instructions for your operating
system:
- Windows 98/Me/2000
- On the Windows desktop, click the
Start button > Find or Search >
Files or Folders.
- In the Search Results window, set
"Look in" to the first
removable, mapped, or fixed drive type
with a drive letter greater than E.
- Check "Include
subfolders."
- In the "Named" or
"Search for..." box, type,
or copy and paste, the following:
*.zmx
- Click Find Now or Search Now.
- Windows XP
- On the Windows desktop, click the
Start button > Search.
- Click All files and folders.
- In the "All or part of the file
name" box, type, or copy and
paste, the following:
*.zmx
- Verify that "Look in" is
set to the first removable, mapped, or
fixed drive type with a drive letter
greater than E.
- Click "More advanced
options."
- Select "Search system
folders."
- Select "Search
subfolders."
- Select "Search hidden files and
folders."
- Click Search.
- For every file that is found, right click
it, select "Rename," and then change
the .zmx extension to .exe.
- Repeat step 6 for every removable, mapped,
or fixed drive type with a drive letter
greater than E.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Do
you think this website is useful? Help us to keep
the site growing.
Detect and Removal Instruction for Other
Worms - 'L':
|
