Lovgate | |
---|---|
Type | Multiple vector worm |
Creator | |
Date Discovered | 2003.01.28 |
Place of Origin | China |
Source Language | C++ |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | |
Reported Costs |
Lovgate, also known as Supnot is a network-aware mass-mailing worm that has backdoor trojan capabilities.
Behavior
Lovgate arrives in an email with 10 possible subject lines, message bodies and attachment file names:
- Subject: Documents
- Attachment: Docs.exe
- Body: Send me your comments…
- Subject: Roms
- Attachment: Roms.exe
- Body: Test this ROM! IT ROCKS!.
- Subject: Pr0n!
- Attachment: Sex.exe
- Body: Adult content!!! Use with parental advisory.
- Subject: Evaluation copy
- Attachment: Setup.exe
- Body: Test it 30 days for free.
- Subject: Help
- Attachment: Source.exe
- Body: I'm going crazy… please try to find the bug!
- Subject: Beta
- Attachment: _SetupB.exe
- Body: Send reply if you want to be official beta tester.
- Subject: Do not release
- Attachment: Pack.exe
- Body: This is the pack ;)
- Subject: Last Update
- Attachment: LUPdate.exe
- Body: This is the last cumulative update.
- Subject: The patch
- Attachment: Patch.exe
- Body: I think all will work fine.
- Subject: Cracks!
- Attachment: CrkList.exe
- Body: Check our list and mail your requests!
When the worm is executed it copies itself to the Windows system folder as one of the following file names:
- WinRpcsrv.exe
- syshelp.exe
- winrpc.exe
- WinGate.exe
- rpcsrv.exe
If the computer is running Windows 95, 98 or ME it will add the line run=rpcsrv.exe ti the Win.ini file, which ensures that the worm is run when Windows is started. On systems with the Registry, it adds the values "syshelp = %system%\syshelp.exe", "WinGate initialize = %system%\WinGate.exe -remoteshell" and "Module Call initialize = RUNDLL32.EXE reg.dll ondll_reg" to the Local Machine registry key that causes them to start when Windows starts. It will also set the value winrpc.exe %1 to a registry key that causes the worm to be run whenever a text file is opened.
If the computer is running Windows 2000, NT or XP, it will copy itself to the system folder as ssrv.exe and adds the value "run = rpcsrv.exe" to the Current User registry key that causes the program to run when the computer starts. It also adds the local machine registry key Software\KittyXP.sql\Install.
Lovgate adds the trojan component by dropping the following files into the Windows system folder and executing them:
- ily.dll
- task.dll
- reg.dll
- 1.dll
Some of these files store keystrokes and send the information to the email addresses moc.361|lld_olleh#moc.361|lld_olleh or moc.361|711rekcah#moc.361|711rekcah (presumably that of the cracker who created it). The worm listens on port 10168 for commands from a cracker who has access to the worm through a password. When the correct password is entered, a command shell will start for the cracker.
The worm then copies itself to any network-shared folders with any one of these file names:
- pics.exe
- images.exe
- joke.exe
- pspgame.exe
- news_doc.exe
- hamster.exe
- tamagotxi.exe
- searchurl.exe
- setup.exe
- card.exe
- billgt.exe
- midsong.exe
- s3msong.exe
- docs.exe
- humor.exe
- fun.exe.
When the worm detects the process LSASS.EXE it creates a thread to inject itself into the process. It also injects a thread into the same process that opens a command shell on port 20168 that requires no authentification. It then starts its backdoor component as the service "Windows Management Extension". The worm scans for all computers on the local network and attempts to log in as an administrator, first using no password at all for the administrator account, then making 15 other attempts to crack the account using the following passwords:
- 123
- 321
- 123456
- 654321
- guest
- administrator
- admin
- 111111
- 666666
- 888888
- abc
- abcdef
- abcdefg
- 12345678
- abc123
If the worm successfully enters a remote computer, it copies itself as stg.exe to the folder \admin$\system32\. It then attempts to start a service called "Microsoft NetWork Services FireWall".
The worm searches for email addresses in files that have extensions beginning with .ht in the folders where the worm was executed, "winpath" and a folder listed in the registry value that lists the current user's personal folders. The worm uses its own SMTP engine to send an email with a copy of the worm attached.
Variants
As worms go, Lovgate variants are very large, most of them weighing in at over 100,000 bytes. The family was also relatively large, going through the alphabet more than once.
Sources
Robert X Wang. Symantec.com, "W32.HLLW.Lovgate@mm".
Mary Landesman. Antivirus Software, About.com, "Lovegate worm".
Global Hauri, I-Worm.Win32.Lovgate.84992.