Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Lovgate.F@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Installs backdoor trojan
Detection files published 23 Mar 2003 03:00:00
Description created 26 Mar 2003 10:58:00
Description updated 24 Jul 2003 04:01:00
Malware type WORM
Alias
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Lovgate.F@mm

Spreading

The worm has several ways of propagaiting itself.

Firstly, it will send itself over MAPI mail by replying to mails in the users Outlook inbox. The mails will have the following structure:


'%SENDER%' wrote:
====
& gt; %ORIGINAL MAIL BODY%

====

%ACCOUNT% account auto-reply:

& lt;
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

& gt; Get your FREE %ACCOUNT% account now! & lt;


Attachment names are picked from the word list WL1.

Secondly, it will attempt to send itself over SMTP mail as well. In this case it does not reply to any mail, but composes mail based on words and sentences from the word list WL2. Attachment names are picked from the word list WL3.

Thirdly, it copies itself over network shares, using file names from the word list WL4. It has a word list (WL5) that it uses for guessing passwords to gain administrator access.

The worm copies itself to the Windows system folder under the following names:

iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe

It will add keys in the registry to start these in several different ways, including every time a text file *.txt is opened.

The worm installs a backdoor trojan on infected machines that may give attackers unauthorized access.



WL1: File names used for MAPI mail attachments:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe


WL2: Sentences and words used in SMTP mails and subjects:

"For further assistance, please contact!"
"Copy of your message, including all the
headers is attached."
"This is the last cumulative update."
"Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy)"
"Send reply if you want to be official beta tester."
"This message was created automatically by mail delivery software (Exim)."
"It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover
(West)."
"Adult content!!! Use with parental advisory."
"Patrick Ewing will give Knick fans something to cheer about Friday night."
"Send me your comments..."
"Reply to this!"
"Let's Laugh"
"Last Update"
"for you"
"Great"
"Help"
"Attached one Gift for u.."
"Hi Dear"
"Hi"
"See the attachement"


WL3: Attachment names used in SMTP mails:

About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
Interesting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr



WL4: File names used for copying over network shares:

Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe


WL5: Passwords attempted to gain administrator access:

zxcv
yxcv
xxx
xp
win
test123
test
temp123
temp
sybase
super
sex
secret
pwd
pw123
pw
pc
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login
Login
Internet
home
godblessyou
god
enable
database
computer
alpha
admin123
Admin
abcd
aaa
a
88888888
2600
2003
2002
123asd
123abc
123456789
1234567
123123
121212
12
11111111
110
007
00000000
000000
0
pass
54321
12345
password
passwd
server
sql
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
111
1
root
abc123
12345678
abcdefg
abcdef
abc
888888
666666
111111
admin
administrator
guest
654321
123456
321
123

Payload Details

The worm installs a backdoor component on the infected hard disk under the names:
%SYSTEM DIR%\reg678.dll
%SYSTEM DIR%\Task688.dll
%SYSTEM DIR%\ily668.dll
%SYSTEM DIR%\111.dll

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11