Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Lovgate.F

Win32/Lovgate.F is a worm working in the environment of Widnows operating systems. It is spreading as a file in the attachment of e-mail message. This worm is written in Microsoft Visual C++, and compressed by Aspack. It contains a backdoor component.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the subdirectory System or System32 in the directory %windir%.

The worm arrives as a file in the attachment of e-mail message. After the attached file is run it creates WinRpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, rpcsrv.exe and news_doc.exe files in the directory %system%.

It also creates three items in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. These items are syshelp having value of %system%\syshelp.exe, WinGate initialize with value of %system%\WinGate.exe -remoteshell and Module Call initialize set to the value of RUNDLL32.EXE reg.dll ondll_reg.

The worm also tries spreading via local networks using shared directories where it is copied under following names:

fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe

The worm also modifies the HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\command, setting it to the value of @="winrpc.exe %1.

The worm uses for its spreading e-mail addresses acquired from files having extensions htm, html a hta. It sends further or modifies already existing messages located on infected computer attaching its copy to them. The name of this copy is one of those created in shared directories.

NOD32 detects this worm from the version 1.371.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.