Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
Lovgate Worm
Virus Description
 Related Resources
• Virus Encyclopedia
• Glossary of terms
 
 Elsewhere on the Web
• F-Secure Description
 

Lovgate is a mass-mailing email worm thought to have orginated in China. It includes a backdoor component which can allow remote manipulation of the infected machine. The Lovgate worm spreads through email and network shares, even providing a routine for guessing common passwords in order to infect password-protected shares. The backdoor component listens on port 10168 as well as 1192. It logs keystrokes, storing the logged information in win32pwd.sys and win32add.sys and attempts to send the gathered information to either hello_dll@163.com or hacker117@163.com. The 163.com domain is believed to be a Chinese portal site.

According to antivirus vendor F-Secure, Lovgate copies itself to shares using on one of the following names: 

 fun.exe
 humor.exe
 docs.exe
 s3msong.exe
 midsong.exe
 billgt.exe
 Card.EXE
 SETUP.EXE
 searchURL.exe
 tamagotxi.exe
 hamster.exe
 news_doc.exe
 PsPGame.exe
 joke.exe
 images.exe
 pics.exe

The worm also copies itself as stg.exe to the Windows\System folder on the accessed system. Depending on the variant, Lovgate may also copy itself to the Windows\System directory on the accessed system, as one of the following filenames: WinGate.exe, WinRpcsrv.exe, syshelp.exe, winrpc.exe, ily.dll, task.dll, reg.dll, 1.dll, win32vxd.dll and/or rpcsrv.ex.

If the shares are password protected, it tries to gain access using both "guest" and "Administrator" as the username and a range of passwords: 

 "" (empty password)
 "guest"
 "123"
 "321"
 "123456"
 "654321"
 "administrator"
 "admin"
 "111111"
 "666666"
 "888888"
 "abc"
 "abcdef"
 "abcdefg"
 "12345678"
 "abc123"

Lovgate modifies both the registry and win.ini file on affected machines to load each time the system is booted.

Lovgate replies to email found in the user's inbox, as well as searching .ht* files for email addresses. If the worm is sending itself as a reply, it will include the following message text in the body of the email: 

 I'll try to reply as soon as possible.
 Take a look to the attachment and send me your opinion!

Otherwise, it will send itself using a combination of the following:

Subject Message Body Attachment
Documents
Roms
Pr0n!
Evaluation copy
Help
Beta
Do not release
Last Update
The patch
Cracks! 		Send me your comments...
Test this ROM! IT ROCKS!.
Adult content!!! Use with parental advisory.
Test it 30 days for free.
I'm going crazy... please try to find the bug!.
Send reply if you want to be official beta tester.
This is the pack ;)
This is the last cumulative update.
I think all will work fine.
Check our list and mail your requests! 		Docs.exe
Roms.exe
Sex.exe
Setup.exe
Source.exe
_SetupB.exe
Pack.exe
LUPdate.exe
Patch.exe
CrkList.exe

Removing the worm The most effective removal is through the use of updated antivirus software. Several version of Lovgate were released in a short span of time and other variants can be expected to follow. Due to subtle differences in the files that are dropped or the method of startup, removing the worm without the aid of antivirus software may result in incomplete disintection. To manually remove certain Lovgate versions:

  1. search the systems and delete the above mentioned files.
  2. Locate the following Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the following values: "WinGate initialize" = "C:\Windows\System\WinGate.exe -remoteshell" "syshelp" = "C:\Windows\System\syshelp.exe" "Module Call initialize" = "rundll32.exe reg.dll ondll_reg"
  3. Locate the following Registry key: HKEY_CLASSES_ROOT\txtfile\shell\open\command @ = %winsysdir%\winprc.exe "%1" and reset the proper value for the text editor being used.
  4. Modify the Run= line of the win.ini file, removing the call to " Run=rpcsrv.exe".

Complete details of the many variants of Lovgate may be found at http://www.f-secure.com/v-descs/lovgate.shtml

Subscribe to the Newsletter
Name
 Email

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.