TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_LOVGATE.G
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.LovGate.ad (Kaspersky), W32/Lovgate.ac@MM (McAfee), W32.Lovgate.X@mm (Symantec), Worm/Lovgate.AD.20 (Avira), Worm:Win32/Lovgate.AC@mm (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This memory-resident worm is a slightly modified variant of WORM_LOVGATE.F. The only difference between this variant and the earlier .F variant is the name of the event that both create to indicate memory-residency.

This memory-resident worm propagates through network shares by dropping copies of itself to shared folders with read/write access. The files that it drops can have any of the following file names:

  • Are you looking for Love.doc.exe
  • autoexec.bat
  • The world of lovers.txt.exe
  • How To Hack Websites.exe
  • Panda Titanium Crack.zip.exe
  • Mafia Trainer!!!.exe
  • 100 free essays school.pif
  • AN-YOU-SUCK-IT.txt.pif
  • Sex_For_You_Life.JPG.pif
  • CloneCD + crack.exe
  • Age of empires 2 crack.exe
  • MoviezChannelsInstaler.exe
  • Star Wars II Movie Full Downloader.exe
  • Winrar + crack.exe
  • SIMS FullDownloader.zip.exe
  • MSN Password Hacker and Stealer.exe

This worm also propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. The email message has the following characteristics:

From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message body:
''’<Infected User’s Name>’ wrote:
====
><Original Body>
>
====

<Original Sender’s SMTP account> account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <Original Sender’s SMTP account> account now! <
Attachment: (Randomly selected from any of the following)
I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif

This worm also gathers target email addresses from HTML files that it finds in the current, Windows, and My Documents folders and sends an email message with itself as attachment to all the said email addresses. The email message it sends out may be any of the following:

Subject: Reply to this!
Message Body: For further assistance, please contact!
Attachment: About_Me.txt.pif

Subject: Let's Laugh
Message Body: Copy of your message, including all the headers is attached.
Attachment: driver.exe

Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: Doom3 Preview!!!.exe

Subject: for you
Message Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)
Attachment: enjoy.exe

Subject: Great
Message Body: Send reply if you want to be official beta tester.
Attachment: YOU_are_FAT!.TXT.pif

Subject: Help
Message Body: This message was created automatically by mail delivery software (Exim).
Attachment: Source.exe

Subject: Attached one Gift for u..
Message Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).
Attachment: Interesting.exe

Subject: Hi
Message Body: Adult content!!! Use with parental advisory.
Attachment: README.TXT.pif

Subject: Hi Dear
Message Body: Patrick Ewing will give Knick fans something to cheer about Friday night.
Attachment: images.pif

Subject: See the attachement
Message Body: Send me your comments...
Attachment: Pics.ZIP.scr

The worm also has backdoor functions, opening ports, obtaining information about the system, and enabling the remote user to execute commands on the compromised system.

This Aspack-compressed worm runs on Windows NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 25, 2003 12:17:26 AM GMT -0800
Description updated: Mar. 25, 2003 12:27:31 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.