Name: Lovgate.g worm
Also known as: BackDoor-AQJ, W32.HLLW.Lovgate.G@mm, W32/LovGate.G-m, Win32.Lovgate.G, WORM_LOVGATE.G
Type: Mass-mailing email worm with remote access capabilities
Discovered: March 25, 2003
Description: Lovgate.G is a mass-mailing email worm that also spreads via network shares. It drops a remote access component and may send certain data to the worm's author. This may include system passwords and other sensitive information. Lovgate.G spreads via email by replying to any unread messages in the Microsoft Outlook and Outlook Express inboxes. Lovgate.G also searches drives for html file types, harvesting any mailto links and sending those addresses copies of itself.
Local system impact: Lovgate.G drops the following files to the Windows system directory:
RAVMOND.exe
WinDriver.exe
WinGate.exe
WinHelp.exe
winrpc.exe
NetServices.exe
IEXPLORE.EXE
reg678.dll
Task688.dll
ily668.dll
kernel66.dll
111.dll
On Windows 9x/ME, the system directory (by default) is located at C:\Windows\system. On Windows NT/2000, the Windows system directory is located at C:\WINNT\system32 and on Windows XP at C:\Windows\system32.
Registry keys modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows\Management Instrumentation Driver Extension
DisplayName = "Windows Management Instrumentation Driver Extension"
ObjectName = "LocalSystem"
Network propagation: Lovgate.G includes a dictionary attack for guessing passwords and gaining access to the IPC$ share on remote systems. Lovgate.G drops the following files on network shares:
- Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
