Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Lovgate.B@m


Threat Risk LOW LOW
Destructivity LOW LOW
Payload Backdoor trojan functionality
Detection files published
Description created 23 Feb 2003 03:52:00
Description updated 24 Feb 2003 06:38:00
Malware type WORM
Alias W32/Lovgate.C
Spreading mechanism EMAIL
Summary None



This worm finds messages in the Outlook/Outlook Express inbox via MAPI, and replies to them with itself as an attachment.Attachment names:fun.exehumor.exedocs.exes3msong.exemidsong.exebillgt.exeCard.EXESETUP.EXEsearchURL.exetamagotxi.exehamster.exenews_doc.exePsPGame.exejoke.exeimages.exepics.exeThe body of the mail will contain the original mail text as well as the text that the worm itself adds - see above. When the worm is first run it will copy itself to the Windows system directory under the following names:winrpcsrv.exesyshelp.exewinrpc.exewingate.exerpcsrv.exeIt will add the following registry keys in order to make sure the worm is started:HKLM\Software\Microsoft\Windows\Run Syshelp=syshelp.exeHKLM\Software\Microsoft\Windows\Run Wingate initialize=wingate.exe -remoteshellHKCR\txtfile\shell\open\command (default) = winrpc.exe "%l %*"It may also add a line to the WIN.INI file:[boot]run = rpcsrv.exeThe worm is not only email based. It will copy itself to numerous other directories on the local hard disk as well as writable network shares.

Payload Details

The worm drops a backdoor trojan which allows others to access your computer. This backdoor trojan will be called either ily.dll, reg.dll or task.dll, and is called from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module Call initialize= RUNDLL32.EXE reg.dll ondll_regThe backdoor will attempt to notify its creator via mail about the infection.





Last Updated: 12 Nov 2015 11:06:11