Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Lovgate.AJ

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload
Detection files published
Description created 08 Jul 2004 05:58:00
Description updated 08 Jul 2004 05:58:00
Malware type WORM
Alias
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Lovgate.AJ

Spreading

The worm has several ways of propagaiting itself.

Firstly, it will send itself over MAPI mail by replying to mails in the users Outlook inbox. The mails will have the following structure:


'[sender address]' wrote:

====
[original mail body]
====

[senders domain] account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
Get your FREE [senders domain] account now!

Attachment names are picked from the word list WL1.
Secondly, it will attempt to send itself over SMTP mail as well. In this case it does not reply to any mail, but composes mail based on words and sentences from the word list WL2.
Thirdly, it copies itself to numerous directories on the local machine and network shares using filenames from WL3. It also has a word list that it uses for guessing passwords to gain administrator access.

WL1: File names used for mail attachments:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
message.exe

WL2: Sentences and words used in SMTP mails and subjects:

"For further assistance, please contact!"
"Copy of your message, including all the
headers is attached."
"This is the last cumulative update."
"Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)"
"Send reply if you want to be official beta tester."
"This message was created automatically by mail delivery software (Exim)."
"It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover
(West)."
"Adult content!!! Use with parental advisory."
"Patrick Ewing will give Knick fans something to cheer about Friday night."
"Send me your comments..."
"Reply to this!"
"Let's Laugh"
"Last Update"
"for you"
"Great"
"Help"
"Attached one Gift for u.."
"Hi Dear"
"Hi"
"See the attachement"

WL3: File names used when copying to network shares and local directories:

Cain.pif
findpass.exe
Documents and Settings.txt.exe
mmc.exe
client.exe
Support Tools.exe
Windows Media Player.zip.exe
xcopy.exe
WinRAR.exe
Microsoft Office.exe
winhlp32.exe
i386.exe
iexplorer.exe
spollsv.exe
NVC.EXE
Exploier.exe
MSDN.ZIP.pif
message.exe
Internet Explorer.bat
autoexec.bat

Payload Details

Lovgate.AJ tries to terminate the AV-processes below using "net.exe stop"
"Symantec AntiVirus Client".
"Symantec AntiVirus Server".
"Rising Realtime Monitor Service".

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12