What
is the Lovgate.R worm?
Lovgate.R is a variant of Lovgate. It is also
a mass-mailing worm that attempts to email itself
to all the email addresses that it finds on the
computer.
The "sender" of the email is
spoofed, and the subject line and message body of
the email vary.
This threat is written in the C++ programming
language and is compressed with JDPack and ASPack.
Also known as: W32/Lovgate.x, I-Worm.LovGate.w
How
Does Lovgate.R Infect My System?
When Lovgate.R runs, it does the following:
- Copies itself as these files:
- %Windir%\Systra.exe
- %System%\Hxdef.exe
- %System%\iexplore.exe
- %System%\RAVMOND.exe
- %System%\Kernel66.dll, with attributes
set to Read Only, Hidden, and System.
- %System%\WinHelp.exe
- Creates the files:
- %System%\ODBC16.dll (53,760 bytes)
- %System%\Msjdbc11.dll (53,760 bytes)
- %System%\MSSIGN30.DLL (53,760 bytes)
- %System%\LMMIB20.DLL (53,760 bytes)
These files are all the same-they are
backdoor components of the worm.
- Creates these files:
- %System%\NetMeeting.exe (61,440 bytes)
- %System%\spollsv.exe (61,440 bytes)
- May create these files in the folder from
which the worm was executed.
- a
- results.txt
- win2k.txt
- winxp.txt
These files are not viral by themselves
and are not detected as such.
- Adds the values:
"Hardware
Profile"="%System%\hxdef.exe
"Microsoft NetMeeting Associates,
Inc."="NetMeeting.exe"
"Program in Windows"="%System%\IEXPLORE.EXE"
"Protected
Storage"="RUNDLL32.EXE MSSIGN30.DLL
ondll_reg"
"Shell Extension"="%System%\spollsv.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"WinHelp"="%System%\WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start
Windows.
- Adds the value:
"SystemTra"="%Windir%\Systra.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that the worm runs as a service when you
start Windows 95/98/Me.
- Adds the values:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\
Windows
so that the worm runs when you start Windows
NT/2000/XP.
- May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ZMXLIB1
- Stops the following services:
- Rising Realtime Monitor Service
- Symantec Antivirus Server
- Symantec Client
- Creates the service, "Windows
Management Protocol v.0 (experimental),"
which is mapped to "Rundll32.exe
msjdbc11.dll ondll_server."
- Creates the service, "_reg," which
is mapped to "Rundll32.exe msjdbc11.dll
ondll_server."
- Terminates all the processes that contain
any of the following strings:
- KV
- KAV
- Duba
- NAV
- kill
- RavMon.exe
- Rfw.exe
- Gate
- McAfee
- Symantec
- SkyNet
- rising
- Runs a Backdoor routine on port 6000. The
routine steals the information of a
compromised system and stores it in the file,
C:\Netlog.txt. The worm then emails the stolen
information to the attacker.
- Copies itself to all the network-shared
folders and subfolders as any of the
following:
- WinRAR.exe
- Internet Explorer.bat
- Documents and Settings.txt.exe
- Microsoft Office.exe
- Windows Media Player.zip.exe
- Support Tools.exe
- WindowsUpdate.pif
- Cain.pif
- MSDN.ZIP.pif
- autoexec.bat
- findpass.exe
- client.exe
- i386.exe
- winhlp32.exe
- xcopy.exe
- mmc.exe
- Scans all the computers on the local
network, and uses the following passwords to
attempt to log in as
"Administrator."
- Guest
- Administrator
- zxcv
- yxcv
- xxx
- win
- ......
Note: The worm will also attempt to
log in as "Administrator" if a
password is not set for the account on a
remote computer.
- If the worm successfully logs on to the
remote computer, it will attempt to copy
itself as:
\\<remote computer
name>\admin$\system32\NetManager.exe
and to start the file as the service,
"Windows Management NetWork Service
Extensions."
- Injects a thread into Explorer.exe or
Taskmgr.exe. If the thread detects that the
worm is not running or has been deleted, it
will attempt to copy and execute itself.
- Starts an FTP server on a random port, no
authentication required, which means that the
infected computer is accessible to anyone.
- Creates a network share, "Media,"
which points to "%Windir%\Media."
- Creates the zip file
<filename>.<ext> in the root
folder of all the drives, unless the drive
letter is A or B.
<filename> is one of the following:
- WORK
- setup
- Important
- bak
- letter
- pass
and <ext> is one of the following:
- RAR
- ZIP
This zip file contains a copy of the worm
with the file name
<filename>.<ext>.
<filename> is one of the following:
- WORK
- setup
- Important
- book
- email
- PassWord
and <ext> is one of the following:
- exe
- com
- pif
- scr
- Creates the file, Autorun.inf, in the root
folder of all the drives, except the CD-ROM
drives, and copies itself as Command.com into
that folder.
NOTE: If you double-click on the disk
icon, the worm will be executed.
- Scans all the drives, if the drive type is
removable or mapped or the drive type is fixed
with a drive letter greater than E.
The worm will do the following on all the
found drives:
- Attempts to rename the extension on
all .exe files to .zmx.
- Sets the attributes to Hidden and
System on these files.
- Copies itself as the original file
name.
For example, if the worm finds
OriginalFile.exe, it will be renamed to
OriginalFile.zmx. The worm will then
copy itself as OriginalFile.exe.
- Attempts to spread to other computers by
exploiting the DCOM RPC vulnerability
(described in Microsoft Security Bulletin
MS03-026) using TCP port 135.
- Replies to all the incoming messages when
they arrive in the mailbox of certain
MAPI-compliant email clients, including
Microsoft Outlook.
- Scans the system WAB file, temporary
Internet files, and all the fixed and ram
disks, and it sends itself to all the email
addresses it found.
- If the drive is a hard drive or RAM drive,
it will retrieve the email addresses from all
the files on drives C to Y, which have these
extensions:
- .txt
- .htm
- .sht
- .php
- .asp
- .dbx
- .tbb
- .adb
- .pl
- .wab
- Uses its own SMTP engine to send itself to
the email addresses that it finds in step 25
and 26.
How to Remove the Lovgate.R worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Lovgate.R during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
1. Disabling
System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on
your computer in case they become damaged. If a
virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on
the computer.
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: How
to Disable System Restore in Windows ME or
Windows XP.
2. Updating the virus definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Scanning for and deleting the infected
files
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Lovgate.R, click Delete.
4. Reversing the changes made to the
registry
Because the worm modified the registry so that
you cannot run a .exe file without also running
the worm, first make a copy of the Registry
Editor as a file with the .com extension, and
then run the file.
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the values:
"Hardware
Profile"="%System%\hxdef.exe
"Microsoft NetMeeting Associates,
Inc."="NetMeeting.exe"
"Program in Windows"="%System%\IEXPLORE.EXE"
"Protected
Storage"="RUNDLL32.EXE MSSIGN30.DLL
ondll_reg"
"Shell Extension"="%System%\spollsv.exe"
"VFW Encoder/Decoder
Settings"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"WinHelp"="%System%\WinHelp.exe"
- Do one of the following:
- If you use Windows 95/98/Me, proceed
with step f.
- If you use Windows NT/2000/XP, proceed
with step g.
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
In the right pane, delete the value:
"SystemTra"="%Windir%\Systra.exe"
Then proceed with step h.
- Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\
Windows
In the right pane, delete the following value:
"run"="RAVMOND.exe"
Then proceed with step h.
- Exit the Registry Editor.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Do
you think this website is useful? Help us to keep
the site growing.
Detect and Removal Instruction for Other
Worms - 'L':
|
