TREND MICRO - Security Information - WORM_LOVGATE.G Česká RepublicaAmérica LatinaAustraliaBelgique/BelgiëBosna i HercegovinaBrasilBulgariyaDanmarkDeutschlandEestiEspañaFranceGlobal SitesHong KongHrvatskaItaliaLatvijaLietuvaLuxembourgMéxicoMacedonia, F.Y.R.O.MagyarországNederlandNew ZealandNorgePolskaPortugalRomâniaSlovenijaSlovenskoSuomiSverigeUkraineUnited Kingdom/IrelandUnited States/Canada Find a Product Client / Server / Messaging Suite Client / Server Suite Control Manager eGovernment NeaTSuite for Lotus Notes eGovernment NeaTSuite for Microsoft Exchange IMSS / IWSS Bundle InterScan AppletTrap InterScan eManager InterScan Messaging Security Suite InterScan VirusWall InterScan VirusWall Suite InterScan Web Security Suite InterScan Webmanager InterScan WebProtect for ISA NeaTSuite for Lotus Notes NeaTSuite for Microsoft Exchange OfficeScan Portal Protect ScanMail eManager ScanMail for Lotus Notes ScanMail for MS Exchange ServerProtect Spam Prevention Service TMCM Agents Home Products Purchase Support Security Info About Us PartnerWeb Virus Map Virus Encyclopedia Hoaxes General Virus Info White Papers Webmaster Tools TrendLabs Home > Security Info > Virus Encyclopedia WORM_LOVGATE.G Overview Technical Details QUICK LINKS Solution Virus Type: Worm Destructive: No Pattern file needed: 497 Scan engine needed: 5.200 Overall risk rating:Low Reported infections:Low Damage Potential:High Distribution Potential:High Description: This memory-resident worm is a slightly modified variant of WORM_LOVGATE.F. The only difference between this variant and the earlier .F variant is the name of the event that both create to indicate memory-residency. This memory-resident worm propagates through network shares by dropping copies of itself to shared folders with read/write access. The files that it drops can have any of the following file names: Are you looking for Love.doc.exe autoexec.bat The world of lovers.txt.exe How To Hack Websites.exe Panda Titanium Crack.zip.exe Mafia Trainer!!!.exe 100 free essays school.pif AN-YOU-SUCK-IT.txt.pif Sex_For_You_Life.JPG.pif CloneCD + crack.exe Age of empires 2 crack.exe MoviezChannelsInstaler.exe Star Wars II Movie Full Downloader.exe Winrar + crack.exe SIMS FullDownloader.zip.exe MSN Password Hacker and Stealer.exe This worm also propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. The email message has the following characteristics: From: To: Subject: RE: Message body: ''’’ wrote: ==== > > ==== account auto-reply: If you can keep your head when all about you Are losing theirs and blaming it on you; If you can trust yourself when all men doubt you, But make allowance for their doubting too; If you can wait and not be tired by waiting, Or, being lied about,don't deal in lies, Or, being hated, don't give way to hating, And yet don't look too good, nor talk too wise; ... ... more look to the attachment. > Get your FREE account now! < Attachment: (Randomly selected from any of the following) I am For u.doc.exe Britney spears nude.exe.txt.exe joke.pif DSL Modem Uncapper.rar.exe Industry Giant II.exe StarWars2 - CloneAttack.rm.scr dreamweaver MX (crack).exe Shakira.zip.exe SETUP.EXE Macromedia Flash.scr How to Crack all gamez.exe Me_nude.AVI.pif s3msong.MP3.pif Deutsch BloodPatch!.exe Sex in Office.rm.scr the hardcore game-.pif This worm also gathers target email addresses from HTML files that it finds in the current, Windows, and My Documents folders and sends an email message with itself as attachment to all the said email addresses. The email message it sends out may be any of the following: Subject: Reply to this! Message Body: For further assistance, please contact! Attachment: About_Me.txt.pif Subject: Let's Laugh Message Body: Copy of your message, including all the headers is attached. Attachment: driver.exe Subject: Last Update Message Body: This is the last cumulative update. Attachment: Doom3 Preview!!!.exe Subject: for you Message Body: Tiger Woods had two eagles Friday during his victory over Stephen Leaney. (AP Photo/Denis Poroy) Attachment: enjoy.exe Subject: Great Message Body: Send reply if you want to be official beta tester. Attachment: YOU_are_FAT!.TXT.pif Subject: Help Message Body: This message was created automatically by mail delivery software (Exim). Attachment: Source.exe Subject: Attached one Gift for u.. Message Body: It's the long-awaited film version of the Broadway hit. Set in the roaring 20's, this is the story of Chicago chorus girl Roxie Hart (Zellweger), who shoots her unfaithful lover (West). Attachment: Interesting.exe Subject: Hi Message Body: Adult content!!! Use with parental advisory. Attachment: README.TXT.pif Subject: Hi Dear Message Body: Patrick Ewing will give Knick fans something to cheer about Friday night. Attachment: images.pif Subject: See the attachement Message Body: Send me your comments... Attachment: Pics.ZIP.scr The worm also has backdoor functions, opening ports, obtaining information about the system, and enabling the remote user to execute commands on the compromised system. This Aspack-compressed worm runs on Windows NT, 2000, and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use the TREND MICRO System Cleaner. MANUAL REMOVAL INSTRUCTIONS Identifying the Malware Program To remove this malware, first identify the malware program. Scan your system with your TREND MICRO antivirus product. NOTE all files detected as WORM_LOVGATE.G. TREND MICRO customers must download the latest pattern file before scanning their system. Other Internet users may use Housecall, TREND MICRO’s free online virus scanner. Terminating the Malware Program This procedure terminates the running malware process from memory. If the process name is not known, you will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the malware file or files detected earlier. Select the file, then press either the End Task or the End Process button (depending on the version of Windows on your system). Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. (Terminating an instance of the malware will also launch an instance of IEXPLORE.EXE. Terminate all other instances first before terminating IEXPLORE.EXE.) Close Task Manager. *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the following entries: WinHelp = "C:\WINNT\System32\WinHelp.exe" WinGate initialize = "C:\WINNT\System32\WinGate.exe -remoteshell" Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg" Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE" In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>WindowsNT> CurentVersion>Windows In the right panel, locate and delete the following entry: Run = ”RAVMOND.EXE” Addressing Registry Shell Spawning Registry shell spawning executes the malware when a user tries to run an .TXT file. The following procedures should restore the registry to its original settings. Still in Registry Editor, in the left panel, double-click the following: HKEY_CLASSES_ROOT>txtfile>shell>open>command In the right panel, locate the registry entry: Default Check whether its data (in the rightmost column) is the path and file name of the malware file: "winrpc.exe %1" If the data is the malware file, right-click Default and select Modify to change its value. In the Value data input box, delete the existing value and type the default value: %SysDir%\NOTEPAD.EXE %1 Click OK. Close Registry Editor. Removing Autostart Entries from System Files Malware autostart entries in system files must be removed before the system can be restarted safely. Open WIN.INI. To do this, click Start>Run, type WIN.INI, then press Enter. Under the [windows] section, locate and delete the file name of the malware file, RAVMOND.EXE, from the following line: Run=%System%RAVMOND.exe *Where %System% is the Windows system folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.) Close WIN.INI and click Yes when prompted to save. NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system. Disabling Malware Service For Windows NT, 2000, and XP Restart your machine to terminate the malware service. Next, remove the malware service from the registry. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>Windows Management Instrumentation Driver Extension Right click "Windows Management Instrumentation Driver Extension" and select "Delete". In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>NetMeeting Remote Desktop (RPC) Sharing Right click "NetMeeting Remote Desktop (RPC) Sharing" and select "Delete". In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>Microsoft NetWork FireWall Services Right click "Microsoft NetWork FireWall Services" and select "Delete". Close Registry Editor. Additional Windows ME/XP Cleaning Instructions Running TREND MICRO Antivirus Scan your system with TREND MICRO antivirus and delete all files detected as WORM_LOVGATE.G. To do this, TREND MICRO customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, TREND MICRO's free online virus scanner. Email this page Problems/Questions Copyright 1989-2002 Trend Micro, Inc. All rights reserved. Legal Notice and Privacy Policy