Email-Worm.Win32.LovGate.ah

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It is written in MFC, and packed using ASPack. The packed file is 152063 bytes in size, and the unpacked file is approximately 250KB in size. The worm is capable of infecting PE EXE files.

Installation

Once launched, the worm copies itself to the Windows system and root directories under the following names:

%windir%\CDPlay.exe 
%windir%\Exploier.exe 
%system%\IEXPLORE.exe 
%system%\iexplorer.exe 
%system%\RAVMOND.exe 
%system%\WinHelp.exe 
%system%\spoolsv.exe 
%system%\Update_OB.exe 
%system%\TkBellExe.exe 
%system%\hxdef.exe 
%system%\Kernel66.dll

It also creates a file named cdrom.com in the root directory of all accessible disks.

The worm may also create several copies of itself in the root directory of all accessible disks in ZIP format. The copies will be saved under random names.

Several copies of the worm will be registered as keys in the system registry, to ensure that these files are run each time the system is started.

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "WinHelp"="%system%\TkBellExe.exe"
 "Hardware Profile"=""="%system%\hxdef.exe"
 "Microsoft  Associates, Inc."=" "="%system%\iexplorer.exe"
 "SystemTra"=""="%swindir%\CdPlay.exe"
 "Shell Extension"=""="%system%\spollsv.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "COM++ System"="Exploier.exe"

A string is added to win.ini to ensure that a file named RAVMOND.exe will be launched automatically on system startup.

The worm changes the system registry values to ensure that when text files are opened, the worm will gain control.

txtfile\shell\open\command
 "default"="Update_OB.exe %1"

It also creates an additional key in the system registry to flag its presence in the system.

[HKLM\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1]

Propagation via local networks.

The worm makes the C:\windows\Media folder accessible via the local network by saving it under the name \\Media.

It copies itself to all accessible disks under the following names:

autoexec.bat
Cain.pif
client.exe
Documents and Settings.txt.exe
findpass.exe
i386.exe
Internet Explorer.bat
Microsoft Office.exe
mmc.exe
MSDN.ZIP.pif
Support Tools.exe
Windows Media Player.zip.exe
WindowsUpdate.pif
winhlp32.exe
WinRAR.exe
xcopy.exe

If the worm finds the P2P client Kazaa on the victim machine, it will copy itself to the file-sharing folder under the following names:

wrar320sc 
REALONE 
BlackIcePCPSetup_creak 
Passware5.3 
word_pass_creak 
HEROSOFT 
orcard_original_creak 
rainbowcrack-1.1-win 
W32Dasm 
setup

or under a random name.

The file extension will be chosen at random from the following list:

BAT
EXE
PIF
SCR

The worm attempts to copy itself to all accessible computers which it finds on the local network. To do this, it attempts to gain access to resources in the Admnistrator account. It uses the passwords listed below to attempt to gain access:

654321
666666
888888
88888888
a
aaa
abc
abc123
abcd
abcdef
abcdefg
admin
Admin
admin123
administrator
Administrator
alpha
asdf
asdfgh
computer
database
enable
god
godblessyou
guest
Guest
home
Internet
Login
login
love

mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
password
Password
pc
pw
pw123
pwd
root
secret
server
sex
sql
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv

!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
123abc
123asd
2003
2004
2600
321
54321

If the worm manages to establish a connection, it copies itself to \admin$\system32\NetManager.exe and launches this file as the Windows Management Network Service Extensions service.

Propagation via email

The worm will answer all messages it detects in the 'Incoming' folder by sending an infected email to these addresses. It also harvests email addresses from files with the following extensions:

wab
htm
pl
adb
tbb
dbx
asp
php
sht
htm

Infected messages:

Message header (chosen at random from the list below)

Mail  failed.  For further assistance, please contact!

The  message  sent as  a binary attachment.

It's the long-awaited film version of the Broadway hit.

The message contains Unicode characters and has been sent as a binary attachment.

Attachment name (chosen at random from the list below):

I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif

Message body:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don',27h,'t deal in lies,
Or, being hated, don',27h,'t give way to hating,
And yet don',27h,'t look too good, nor talk too wise;
... ... more  look to the attachment.

Other

The worm terminates all processes which contain the following text in their names:

Duba
Gate
KAV
kill
KV
McAfee
NAV
RavMon.exe
Rfw.exe
rising
SkyNet
Symantec

and

Rising Realtime Monitor Service 
Symantec Antivirus Server 
Symantec Client

Other

The worm harvests information about the victim machine and saves it in a file named c:\Netlog.txt which is then sent by email to the worm's author.

It installs a backdoor on TCP port 6000 to receive commands.

The worm contains the text string:

I-WORM-ffff Running!

The worm searches all accessible disks from C: to Z: for files with the extension *.exe. It then changes the extension to *.zmx, and ascribes the function hidden/ system to these files. It then copies itself to the original files under the original name.