English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsEmail-Worm.Win32.LovGate.b

Email-Worm.Win32.LovGate.b

Detected Jun 11 2000 14:11 GMT
Released Jul 22 2008 23:13 GMT
Published Jun 11 2000 14:11 GMT

Technical Details

I-Worm.Lovgate.a (aka Supnot.a) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a backdoor routine. There are several worm variants known which are very similar to each other.

The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by AsPack.

The compressed file size is about 77K, decompressed size - about 164K.

The worm activates from infected email only when a user clicks on the attached file. While spreading through local area networks the worm tries to run its remote copies by using WinNT functions.

When run the worm installs itself to the system, runs its spreading and backdoor routines.

Installing

While installing the worm copies itself to the Windows system directory under several names and registers these files in the system registry auto-run key (under WinNT) and/or in the "run" command in the WIN.INI file (under Win9x).

Worm copies have the following names:

rpcsrv.exe
syshelp.exe
winrpc.exe
WinGate.exe
WinRpcsrv.exe

The registry keys are:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
 "Run"="rpcsrv.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "syshelp"="%SystemDir%\syshelp.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "WinGate initialize"="%SystemDir%\WinGate.exe -remoteshell"
 "Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

[HKCR\txtfile\shell\open\command]
 "winrpc.exe %1"

Spreading: email

To spread in emails 'supnot' uses two different methods:

1. The worm looks for "*.HT*"-files (HTM, HTML) in the current directory, Windows directory and the "My Documents" directory (including subdirectories as well), scans them for email-like text strings and sends infected messages to addresses found. To send infected message the worm uses a direct connection to the default SMTP server, or connects to the "smtp.163.com" server.

Following are different variations of 'supnot' message attributes:

 Subject:
 Text:
 Attachment:

  Cracks!
    Check our list and mail your requests!
    CrkList.exe

  The patch
    I think all will work fine.
    Patch.exe

  Last Update
    This is the last cumulative update.
    LUPdate.exe

  Do not release
    This is the pack ;)
    Pack.exe

  Beta
    Send reply if you want to be official beta tester.
    _SetupB.exe

  Help
    I'm going crazy... please try to find the bug!
    Source.exe

  Evaluation copy
    Test it 30 days for free.
    Setup.exe

  Pr0n!
    Adult content!!! Use with parental advisory.
    Sex.exe

  Roms
    Test this ROM! IT ROCKS!.
    Roms.exe

  Documents
    Send me your comments...
    Docs.exe

The worm gets emails from Inboxes and "answers" them by using Windows MAPI functions. Replies look like:

 Subject:   Re: [original email subject]
 Text:

   [user name] wrote:
   ====
   > [original email text]
   ====
   [email domain name] account auto-reply:

  ' I'll try to reply as soon as possible.
  Take a look to the attachment and send me your opinion! '

        > Get your FREE [email domain name] account now! <

for example:

The attached file name is randomly selected from the following variants: 

  pics.exe          SETUP.EXE     
  images.exe        Card.EXE      
  joke.exe          billgt.exe    
  PsPGame.exe       midsong.exe   
  news_doc.exe      s3msong.exe   
  hamster.exe       docs.exe      
  tamagotxi.exe     humor.exe     
  searchURL.exe     fun.exe

Infecting Local Networks
The worm finds network resources (shared writeable disks and directories) and copies itself to them under randomly chosen names: 

  pics.exe             SETUP.EXE
  images.exe           Card.EXE
  joke.exe             billgt.exe
  PsPGame.exe          midsong.exe
  news_doc.exe         s3msong.exe
  hamster.exe          docs.exe
  tamagotxi.exe        humor.exe
  searchURL.exe        fun.exe

If a network resource is password protected it also tries to request 'write' access using the following information:


 Login:    "guest", "Administrator"
 Password: "123", "321", "123456", "654321", "administrator", "admin",
           "111111", "666666", "888888", "abc", "abcdef", "abcdefg", "12345678", "abc123"

If the login is successful the worm creates a remote copy of itself named "stg.exe" and tries to launch it on the remote computer.

Backdoor

Supnot launches a "backdoor" routine that uses the IPC (Interprocess Communication) technique: it creates a pipe connected to a command processor that is launched on the victim computer - CMD.EXE in Windows NT/2000/XP or COMMAND.COM in Windows 9x/ME. This allows the worm's "owner" to control the victim computer remotely.

The backdoor is launched three different ways:

  • as a thread in the worm's process
  • as a part of the "LSASS.EXE" process (under WinNT)
  • as stand-alone DLL-files "ily.dll", "Task.dll", "reg.dll" that are stored in the Windows system directory.

    The three methods of executing the backdoor carry the identical payload routine.

    Other
    While sending e-mail messages, the worm creates a temporary file called "CH0016.TMP" in the Windows temporary directory.

    The worm also sends a 'notification' e-mail to its "owner" that contains the infected computer's name, IP address, and current user name.

    This email contains the following "copyright" string: 

      My I-WORM-and-IPC-20168 running!


    • Print
    Bookmark and Share
    Share
    Viruses and worms
    Email-Worm

    Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

    In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

    Email-Worms use a range of methods to send infected emails. The most common are:

    • using a direct connection to a SMTP server using the email directory built into the worm’s code
    • using MS Outlook services
    • using Windows MAPI functions.

    Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

    • the address book in MS Outlook
    • a WAB address database
    • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
    • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

    Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


    Other versions
    Email-Worm.Win32.LovGate.a
    Email-Worm.Win32.LovGate.ad
    Email-Worm.Win32.LovGate.ah
    Email-Worm.Win32.LovGate.c
    Email-Worm.Win32.LovGate.w

    Aliases

    Email-Worm.Win32.LovGate.b (Kaspersky Lab) is also known as:

    • I-Worm.LovGate.b (Kaspersky Lab)
    • Worm.Lovgate.AQ (ClamAV)
    • W32/Lovgate.A (Panda)
    • Win32.HLLM.Lovgate.1 (DrWeb)

    © 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
    Industry-leading Antivirus Software.
    Registered trademarks and service marks are the property of their respective owners.

    kaspersky.com

    Products

    eStore

    Threats

    Downloads

    Support

    Partners

    About Us

    Search

    securelist.com

    Threats

    Analysis

    Blog

    Descriptions

    Glossary

    RSS feeds

    Contacts

    Search