W32.Lovgate.X@mm

Printer Friendly Page

Discovered: July 01, 2004
Updated: July 02, 2004 1:55:02 AM
Systems Affected: Windows

W32.Lovgate.X@mm is mass-mailing worm that propagates through open network shares. Once installed on a system, it allows unauthorized remote access to the host. It also infects other Windows executable files (files with the extension .exe)

Discovered: July 01, 2004
Updated: July 02, 2004 1:55:02 AM
Systems Affected: Windows

W32.Lovgate.X@mm is a mass-mailing worm that also propagates through open network shares. The worm may copy itself to shared drives using one or more of the following names:
WinRAR.exe
Internet Explorer.bat
Documents and Settings.txt.exe
Microsoft Office.exe
Windows Media Player.zip.exe
Support Tools.exe
WindowsUpdate.pif
Cain.pif
MSDN.ZIP.pif
autoexec.bat
findpass.exe
client.exe
i386.exe
winhlp32.exe
xcopy.exe
mmc.exe

When the worm is executed, it creates the following files:
%Windir%\SYSTRA.EXE
%System%\hxdef.exe
%System%\IEXPLORE.EXE
%System%\RAVMOND.exe
%System%\realsched.exe
%System%\vptray.exe
%System%\kernel66.dll, with attributes set to Read Only, Hidden, and System.
c:\COMMAND.EXE
c:\AUTORUN.INF

The following files are also created which make up the worm's back door component:
%System%\ODBC16.dll (53,248 bytes)
%System%\msjdbc11.dll (53,248 bytes)
%System%\MSSIGN30.DLL (53,248 bytes)
%System%\LMMIB20.DLL (53,248 bytes)

It then creates the following registry entries so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinHelp" = "%system%\realsched.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Hardware Profile" = "%system%\hxdef.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Program In Windows" = "%system%\IEXPLORE.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft NetMeeting Associates, Inc." = "NetMeeting.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Shell Extension" = "%system%\spollsv.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\"SystemTra" = "%Windor%\SysTra.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\"COM++ System" = "suchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run"="RAVMOND.exe"

It also modifies the default value for the following registry entries:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command
and sets it to:
vptray.exe %1
so that the worm will run each time a .txt file is opened.

It also creates the following services:
Display name: _reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

Display name: Windows Management Protocol v.0 (experimental)
Description: Windows Advanced Server. Performs scheduled scans for LANguard.
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic

The worm also terminates any processes with the following strings in their names:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

Next the worm will scan all of the computers attached to the same network segment as the compromised system, the worm will attempt to authenticate to the admin$ share on systems that are found, using the "Guest", "Admin" or "Administrator" username combined with the following passwords:
Guest
Administrator
zxcv
yxcv
xxx
win
test123
test
temp123
temp
sybase
super
sex
secret
pwd
pw123
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login
Login
Internet
home
godblessyou
god
enable
database
computer
alpha
admin123
Admin
abcd
aaa
88888888
2600
2004
2003
123asd
123abc
123456789
1234567
123123
121212
11111111
110
007
00000000
000000
pass
54321
12345
password
passwd
server
sql
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
111
root
abc123
12345678
abcdefg
abcdef
abc
888888
666666
111111
admin
administrator
guest
654321
123456
321
123

If the worm successfully authenticates to a remote system, it will attempt to create the following copy of itself:
\\<remote computer>\admin$\system32\NetManager32.exe

It also creates a service on the remote system named "Windows Management NetWork Service Extensions" and creates a share named "Media".

The worm will reply to any messages that arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. For example, if the incoming email has the following properties:
Subject: <subject>
From: <someone>@<somewhere.com>
Message: <original message body>

Then the reply will be formatted as follows:
Subject: Re: <subject>

Message:
<Original message body>
<domain name> auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <domain name> Mail now! <

The attachment will have one of the following filenames:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

The worm can also gathers email addresses on the infected machine and sends an email with the following properties:
Subject: <one of the following:>
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message body can be one of:
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary attachment.
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

The attachment name is randomly constructed with one of the following extensions:
.exe
.scr
.pif
.com
.rar

The wom also infects executable files (.exe) by prepending the host file with a copy of the dropped file suchost.exe, and appending a copy of the original worm.

The worm also opens a backdoor on a random port.