TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_LOVGATE.C
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.LovGate.c (Kaspersky), W32/Lovgate.c@M (McAfee), W32.HLLW.Lovgate.F@mm (Symantec), Worm/Lovgate.B (Avira), W32/Lovgate-C (Sophos), Worm:Win32/Lovgate.C@mm (Microsoft)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm effectively uses a relatively new social engineering trick by mimicking an autoreply message where it attaches itself. Recipients are enticed into opening the malware attachment since the mimicked message arrives as a reply to a familiar message.

It has both backdoor and worm capabilities. As a worm, it spreads via email and network-shared folders. As a backdoor, it allows remote users to access the system through port 10168.

To spread across the network, it drops a copy of itself in network shared folders and subfolders using any of the following file names:

  • billgt.exe
  • card.exe
  • docs.exe
  • fun.exe
  • hamster.exe
  • humor.exe
  • images.exe
  • joke.exe
  • midsong.exe
  • news_doc.exe
  • pics.exe
  • PsPGame.exe
  • s3msong.exe
  • searchURL.exe
  • setup.exe
  • tamagotxi.exe

Through email, it sends itself by replying to all new messages received in Microsoft Outlook and Outlook Express with the following message:

WORM_LOVGATE.C upon execution uses its own SMTP server SMTP.163.com and MAPI commands to spread via email. It propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express

Note that the email attachment has the file name of the copy it attempts to drop in network-shared drives.

This worm also gathers target email recipients from .HT* (HTML) files found in the current, Windows and My Documents folders and then sends itself as an attachment to all the target addresses using any of these email messages:

Subject: Documents
Message Body: Send me your comments
Attachment: Docs.exe

Subject: Roms
Message Body:Test this ROM! IT ROCKS!
Attachment:Roms.exe

Subject: Pr0n!
Message Body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe

Subject: Evaluation copy
Message Body: Test it 30 days for free.
Attachment: Setup.exe

Subject: Help
Message Body: I'm going crazy... please try to find the bug!
Attachment:Source.exe

Subject: Beta
Message Body: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe

Subject: Do not release
Message Body: This is the pack ;)
Attachment: Pack.exe

Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: LUPdate.exe

Subject: The patch
Message Body: I think all will work fine.
Attachment: Patch.exe

Subject: Cracks!
Message Body: Check our list and mail your requests!
Attachment: CrkList.exe

By opening 10168, it allows remote users to access and manipulate the affected system, effectively compromising system security. It sends a notification to either of the following email addresses:

  • 54love@fescomail.net
  • hacker117@163.com

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 24, 2003 1:01:15 AM GMT -0800
Description updated: Feb. 24, 2003 10:50:22 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.