TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_LOVGATE.B
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.LovGate.a (Kaspersky), W32/Lovgate-A (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This malware is both a worm and backdoor program. To propagate, it drops copies of itself in network shared folders and subfolders. It also sends the following reply to all new email messages received in Microsoft Outlook and Outlook Express:

From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message body:
'''<Infected User’s Name>' wrote:
====
><Original Body>
>
====

<Original Sender’s SMTP account> account auto-reply:
'Take a look to the attachment and send me your opinion!
I'll try to reply as soon as possible!'

> Get your FREE <Original Sender’s SMTP account> now! <
Attachment: (any of the following)
pics.exe
images.exe
joke.exe
pspgame.exe
news_doc.exe
hamster.exe
tamagotxi.exe
searchurl.exe
setup.exe
card.exe
billgt.exe
midsong.exe
s3msong.exe
docs.exe
humor.exe
fun.exe

Also, to propagate via email, it searches for email addresses in files with extensions beginning with "HT". It then sends itself as attachment to the addresses in email with any of the following format:

Subject: Documents
Message body: Send me your comments..
Attachment: Docs.exe

Subject: Roms
Message body: Test this ROM! IT ROCKS!.
Attachment: Roms.exe

Subject: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe

Subject: Evaluation copy
Message body: Test it 30 days for free.
Attachment: Setup.exe

Subject: Help
Message body: I'm going crazy... please try to find the bug!
Attachment: Source.exe

Subject: Beta
Message body: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe

Subject: Do not release
Message body: This is the pack ;)
Attachment: Pack.exe

Subject: Last Update
Message body: This is the last cumulative update.
Attachment: LUPdate.exe

Subject: The patch
Message body: I think all will work fine.
Attachment: Patch.exe

Subject: Cracks!
Message body: Check our list and mail your requests!
Attachment: CrkList.exe

As a backdoor, it opens a port, 10168 by default, allowing remote users to access and manipulate the affected system. It sends a notification to the email address hacker117@163.com.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 17, 2003 2:05:00 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.