Win32.LovGate.F@mm( I-Worm.Supnot.F )
SYMPTOMS: - Files kernel66.dll, Netservices.exe, RAVMOND.exe, WinGate.exe,WinDriver.exe, WinHelp.exe, winrpc.exe, iky668.dll, reg678.dll, task688.dll, 111.dll in the Windows System folder. - Under Windows 9x systems, the worm adds the line "run=ravmond.exe" to the win.ini file - The registry key HKLM\\\\\\\\...\\\\\\\\CurrentVersion\\\\\\\\Run contains the values : "run" = RavMonD.exe "Program in Windows" = %SYSTEMDIR%\\\\\\\\iexplore.exe "Remote procedure Call Locator" = RUNDLL32.EXE reg678.dll ondll_reg "WinGate initialize" = %SYSTEMDIR%\\\\\\\\WinGate.exe -remoteshell "WinHelp" = %SYSTEMDIR%\\\\\\\\WinHelp.exe - The registry key HKCR\\\\\\\\txtfile\\\\\\\\shell\\\\\\\\open\\\\\\\\command contains : "(Default)" = winrpc.exe %1 - The systems listens on TCP port 20168 TECHNICAL DESCRIPTION: This variant is very similar in behaviour with Win32.LovGate.C.This is obviously a more evolved variant, bringing new features and also enhancing previous features. The differences from the previous version are described here. The main feature added by this version is a component that logs mouse moves and keyboard strokes, which is also detected by BitDefender as "Win32.LovGate.F". When the worm detects the user entered a password, it sends an email using a second smtp engine, looking like this: From : " Subject : "333www" Content : a combination of user/password or the string "not find pass!". The worm comes as an attachement to email messages, which looks like this : Subject: one from the list : Reply to this!, Let\\\\\\\'s Laugh, Last Update, For You, Great, Help, Attached one gift for u..., Hi Dear, Hi, See the attachement. Attachment: one from the list : About_me.txt.pif, driver.exe, Doom3 Preview!!!.exe, enjoy.exe, YOU_are_FAT!.TXT.pif, Source.exe, nteresting.exe, readme.txt.pif, images.pif, Pics.ZIP.scr Body: "For further assistance, please contact!", "Copy of your message, including all the headers is attached.", "This is the last cumulative update.", "Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)", "Send reply if you want to be official beta tester.", "This message was created automatically by mail delivery software (Exim).", "It\\\\\\\'s the long-awaited film version of the Broadway hit. Set in the roaring 20\\\\\\\'s, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West).", "Adult content!!! Use with parental advisory.", "Patrick Ewing will give Knick fans something to cheer about Friday night.", "Send me your comments..." Then the worm enumerates local shares, and copies itself to there, with the filenames : 100 free essays school.pif, Age of empires 2 crack.exe, AN-YOU-SUCK-IT.txt.pif, Are you looking for Love.doc.exe, autoexec.bat, CloneCD + crack.exe, How To Hack Websites.exe, Mafia Trainer!!!.exe, MoviezChannelsInstaler.exe, MSN Password Hacker and Stealer.exe, Panda Titanium Crack.zip.exe, Sex_For_You_Life.JPG.pif, SIMS FullDownloader.zip.exe, Star Wars II Movie Full Downloader.exe, The world of lovers.txt.exe, Winrar + crack.exe. The password list has also changed in this version, for accessing remote shares the worm tries to bruteforce the password using one of the following words: 0 1 7 12 110 111 123 321 1234 2002 2003 2600 12345 54321 111111 121212 123123 123456 654321 666666 888888 1234567 11111111 12345678 88888888 123456789 !@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* 123abc 123asd a aaa abc abc123 abcd abcdef abcdefg Admin admin admin123 administrator alpha asdf asdfgh computer database enable god godblessyou guest home Internet login Login love mypass mypass123 mypc mypc123 oracle owner pass passwd Password password pc pw pw123 pwd root secret server sex sql super sybase temp temp123 test test123 win xp xxx yxcv zxcv Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antilovgate tool does the following: You may also need to restore the affected files. ANALYZED BY: Mihai Chiriac BitDefender Virus Researcher |