Threat Descriptions

Worm:W32/Lovgate.B

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Lovgate, Lovgate.[variant] , Supnot, Supnot.[variant], I-Worm.Supnot, I-Worm.Supnot.[variant]

Summary

Lovgate.B is mass mailing and network worm which also has a backdoor component. Apart form the mass mailing functionality this worm can spread through windows shares and steal users' passwords. It also has backdoor capabilities listening in the port 10168, allowing the attacker to perform different actions on the infected machine.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

In all variants A, B and C, a dropped DLL sets another copy of thebackdoor on port 1192.

The worm's executable is packed with ASPack

History

UPDATE (2003-09-23)

F-Secure received reports about a new Lovgate variant known as Lovgate.N from Germany. F-Secure Anti-Virus detects this worm variant with the following updates: 2003-09-23_02

UPDATE (2003-05-13)

Three new Lovgate variants known as Lovgate.I, Lovgate.J and Lovgate.K have been found on May 13th, 2003. These are similar to old Lovgate variants, but in addition, they infect executable files. For more information see the bottom of the description.

UPDATE (2003-03-27 12:50 GMT)

F-Secure is upgrading Lovgate.F to level 2 because of the increased number of infections. Lovgate.F is an email and network worm with backdoor capabilities. It attempts to gain remote access using a longer list of passwords than previous variants.

UPDATE (2003-03-25 13:30 GMT)

A new variant of Lovgate worm, Lovgate.G has been found on 25th of March 2003. For more information see the bottom of the description.

UPDATE (2003-03-24 13:30 GMT)

A new variant of Lovgate worm, Lovgate.F has been found on 24th of March 2003. For more information see the bottom of the description.

UPDATE (2003-02-24 10:30 GMT)

A new variant of Lovgate worm, Lovgate.C has been found on 24th of February 2003. For more information see the bottom of the description.

Activity

Lovgate sends the private information to the following addresses:

  • hello_dll@163.com
  • hacker117@163.com

The worm has its own SMTP engine and connects to the host smtp.163.com to deliver its messages. The domain 163.com seems to be a Chinese web portal.

Lovgate copies itself to shares and shares' sub-folders with names such as:

  • fun.exe
  • humor.exe
  • docs.exe
  • s3msong.exe
  • midsong.exe
  • billgt.exe
  • Card.EXE
  • SETUP.EXE
  • searchURL.exe
  • tamagotxi.exe
  • hamster.exe
  • news_doc.exe
  • PsPGame.exe
  • joke.exe
  • images.exe
  • pics.exe

It tries the following usernames and passwords if the shares are password protected:

Usernames:

  • guest
  • Administrator

Passwords:

  • "" (empty password)
  • "guest"
  • "123"
  • "321"
  • "123456"
  • "654321"
  • "administrator"
  • "admin"
  • "111111"
  • "666666"
  • "888888"
  • "abc"
  • "abcdef"
  • "abcdefg"
  • "12345678"
  • "abc123"

If it gains access, it will copy itself to file named "stg.exe" in the "System32" Windows folder and it will attempt to run it.

It has key-logging capabilities and stores information it gathers in the following files:

  • win32pwd.sys
  • win32add.sys

Lovgate.B copies itself in the Windows' system folder with the following filenames:

  • WinGate.exe
  • WinRpcsrv.exe
  • syshelp.exe
  • winrpc.exe
  • rpcsrv.exe

It creates different entries in different configuration files and windows register to run those copies:

For the registry key

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

it creates the following subkeys:

  • "WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell" "syshelp" = "%winsysdir%\syshelp.exe" "Module Call initialize" = "rundll32.exe reg.dll ondll_reg"

Where '%winsysdir%' stands for Windows' system directory.

It also sets the registry key

  • [HKEY_CLASSES_ROOT\txtfile\shell\open\command] @ = %winsysdir%\winprc.exe "%1"

so the worm will execute each time the user double click on a text file. When run it also launches Notepad, so nothing can be noticed unless the default editor for text files was other than Notepad.

It sets the following entry under the 'Windows' section in the win.ini file:

  • [Windows]
  • Run=rpcsrv.exe

Lovgate.B drops the same DLL under the following names:

  • %winsysdir%\ily.dll
  • %winsysdir%\task.dll
  • %winsysdir%\reg.dll
  • %winsysdir%\1.dll

This variant also drops the keylogger DLL as:

  • %winsysdir%\win32vxd.dll

Among other things, those DLL's will be in charge of the keylogging process and sending data back to the worm's creator.

The worm sends email in two different ways. When it runs it launches a thread that will send replies to messages found from inbox using the MAPI Windows functions. The reply message will have the following body:

  • I'll try to reply as soon as possible.
  • Take a look to the attachment and send me your opinion!

And, it searches for *.ht* files and sends messages to the addresses found inside. The message will be composed from the data in the following list:

Possible filenames of the email attachment are:

  • Docs.exe
  • Roms.exe
  • Sex.exe
  • Setup.exe
  • Source.exe
  • _SetupB.exe
  • Pack.exe
  • LUPdate.exe
  • Patch.exe
  • CrkList.exe

Possible subjects are:

  • Documents
  • Roms
  • Pr0n!
  • Evaluation copy
  • Help
  • Beta
  • Do not release
  • Last Update
  • The patch
  • Cracks!

Possible bodies are:

  • Send me your comments...
  • Test this ROM! IT ROCKS!.
  • Adult content!!! Use with parental advisory.
  • Test it 30 days for free.
  • I'm going crazy... please try to find the bug!.
  • Send reply if you want to be official beta tester.
  • This is the pack ;)
  • This is the last cumulative update.
  • I think all will work fine.
  • Check our list and mail your requests!

Lovgate.B is detected by F-Secure Anti-Virus with database: 2003-02-20_01

Variant: Lovgate.A

The main difference of A variant is the lack of the automatic reply to messages found from the inbox. Without that, its spreading depends on availability of writable network shares and *.ht* files where to find email addresses. Apart from that, most of its functionality is analogous to that of the other known variants.

Variant: Lovgate.C

Lovgate.C appears to have fixed some previous problems with the email spreading capabilities of the worm. It keeps the backdoor component running in the same port 10168. The B variant did drop 2 different DLLs, while this one only drops one (as A variant does). It has apparently removed the keylogging component present in B variant.

There are no major differences, it uses the same filenames when copying itself into the computer. Lovgate.C is detected by F-Secure Anti-Virus with database: 2003-02-24_02

Variant:Lovgate.D

This variant is more primitive than the previous. When infecting network shares, it doesn't try to guess passwords. And as the A variant, it only sends email to addresses it finds from *.ht* files on the infected computer. Lovgate.D is detected by F-Secure Anti-Virus with database: 2003-02-24_04

Variant:Lovgate.F

This variant is an improved version. It contains a longer list of passwords to try when attempting to gain access to shared resources:

  • "" (empty password)
  • "123"
  • "321"
  • "123456"
  • "654321"
  • "guest"
  • "administrator"
  • "admin"
  • "111111"
  • "666666"
  • "888888"
  • "abc"
  • "abcdef"
  • "abcdefg"
  • "12345678"
  • "abc123"
  • "root"
  • "1"
  • "111"
  • "1234"
  • "!@#$"
  • "asdf"
  • "asdfgh"
  • "!@#$%"
  • "!@#$%^"
  • "!@#$%^&"
  • "!@#$%^&*"
  • "sql"
  • "server"
  • "passwd"
  • "password"
  • "12345"
  • "54321"
  • "pass"
  • "0 "
  • "000000"
  • "00000000"
  • "007"
  • "110"
  • "11111111"
  • "12"
  • "121212"
  • "123123"
  • "1234567"
  • "123456789"
  • "123abc"
  • "123asd"
  • "2002"
  • "2003"
  • "2600"
  • "88888888"
  • "a"
  • "aaa"
  • "abcd"
  • "Admin"
  • "admin123"
  • "alpha"
  • "computer"
  • "database"
  • "enable"
  • "god"
  • "godblessyou"
  • "home"
  • "Internet"
  • "Login"
  • "login"
  • "love"
  • "mypass"
  • "mypass123"
  • "mypc"
  • "mypc123"
  • "oracle"
  • "owner"
  • "Password"
  • "pc"
  • "pw"
  • "pw123"
  • "pwd"
  • "secret"
  • "sex"
  • "super"
  • "sybase"
  • "temp"
  • "temp123"
  • "test"
  • "test123"
  • "win"
  • "xp"
  • "xxx"
  • "yxcv"
  • "zxcv"
  • "Administrator"
  • "Guest"

It maintains the same basic functionality than previous versions, using the same SMTP server to send email to its author, as well as using the default Windows mail configuration.

It drops several DLLs into the system using different names than the previous variants.

It uses the following filenames when sending email through MAPI.

  • "I am For u.doc.exe"
  • "Britney spears nude.exe.txt.exe"
  • "joke.pif"
  • "DSL Modem Uncapper.rar.exe"
  • "Industry Giant II.exe"
  • "StarWars2 - CloneAttack.rm.scr"
  • "dreamweaver MX (crack).exe"
  • "Shakira.zip.exe"
  • "SETUP.EXE"
  • "Macromedia Flash.scr"
  • "How to Crack all gamez.exe"
  • "Me_nude.AVI.pif"
  • "s3msong.MP3.pif"
  • "Deutsch BloodPatch!.exe"
  • "Sex in Office.rm.scr"
  • "the hardcore game-.pif"

It uses the following filenames when copying itself to shared resources:

  • "MSN Password Hacker and Stealer.exe"
  • "SIMS FullDownloader.zip.exe"
  • "Winrar + crack.exe"
  • "Star Wars II Movie Full Downloader.exe"
  • "MoviezChannelsInstaler.exe"
  • "Age of empires 2 crack.exe"
  • "CloneCD + crack.exe"
  • "Sex_For_You_Life.JPG.pif"
  • "AN-YOU-SUCK-IT.txt.pif"
  • "100 free essays school.pif"
  • "Mafia Trainer!!!.exe"
  • "Panda Titanium Crack.zip.exe"
  • "How To Hack Websites.exe"
  • "The world of lovers.txt.exe"
  • "autoexec.bat"
  • "Are you looking for Love.doc.exe"

Lovgate.F is detected by F-Secure Anti-Virus with database: 2003-03-24_03

Variant:Lovgate.G

This variant is functionally identical to Lovgate.F. Lovgate.G is detected by F-Secure Anti-Virus with database: 2003-03-24_03

Variant: Lovgate.I, Lovgate.J, Lovgate.K & Lovgate.L

These new versions keep most of the functionality of the older ones, with several additions. In this versions, the infecting component s active, such component was present in the F variant but wasn't never activated.

The filenames used when spreading through shares, as well as password list, are identical as the ones included in the F variant.

It drops components under the following paths:

  • %winsysdir%\ily668.dll
  • %winsysdir%\Task688.dll
  • %winsysdir%\reg678.dll
  • %winsysdir%\win32vxd.dll

and the infecting part of the Logvate worm, which was not dropped by previous variants is dropped in:

  • %windowsdir%\DRWTSN16.EXE

Where '%winsysdir%' stands for Windows' system directory and '%windowsdir%' stands for Windows' directory.

The worm creates the following entries in the registry key

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

it creates the following subkeys:

"WinGate initialize" = "%winsysdir%\WinGate.exe -remoteshell""Remote Procedure Call Locator" = "rundll32.exe reg678.dll ondll_reg"

and under:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

adds an entry for the component in charge of infecting other files as:

  • "COM+ Event System" = "DRWTSN16.EXE"

It also sets the registry key

  • [HKEY_CLASSES_ROOT\exefile\shell\open\command] @ = %winsysdir%\winexe.exe "%1" %*

so the worm will execute each time the user runs an executable file. This variants tries to terminate several Anti-Virus processes if found running in the system.

Detection of Lovgate.I, Lovgate.J and Lovgate.K was published in update: 2003-05-13_03

Detection of Lovgate.L was published in update: 2003-05-14_01

Variant: Lovgate.M

This variant retains the funtionality of the prevoius ones. The only changes lie in the mail composition, where messages are composed from the following elements:

Subjects are chosen from:

  • Reply to this!
  • Let's Laugh
  • Last Update
  • for you
  • Great
  • Help
  • Attached one Gift for u..
  • Hi Dear
  • See the attachement

And message bodies from:

  • -For further assistance, please contact!
  • -Copy of your message, including all the headers is attached.
  • -This is the last cumulative update.
  • -Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP
  • Photo/Denis Poroy) -Send reply if you want to be official beta tester.
  • -This message was created automatically by mail delivery software (Exim).
  • -It's the long-awaited film version of the Broadway hit. Set in the roaring
  • 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who
  • shoots her unfaithful lover (West).
  • -Adult content!!! Use with parental advisory.
  • -Patrick Ewing will give Knick fans something to cheer about Friday night.
  • -Send me your comments...

Attachment names from:

  • About_Me.txt.pif
  • driver.exe
  • Doom3 Preview!!!.exe
  • enjoy.exe
  • YOU_are_FAT!.TXT.pif
  • Source.exe
  • Interesting.exe
  • README.TXT.pif
  • images.pif
  • Pics.ZIP.scr

The list of passwords, message components (subjects, bodies) and filenames used when spreading through shares are all as in Lovgate.M.

Detection of Lovgate.M was published in update: 2003-06-18_03