Virus Database

I-Worm.Lovgate.ah

Description I-Worm.Lovgate.ah

This worm spreads via the Internet as an attachment to infected messages. It is written in MFC, and packed using ASPack. The packed file is 152063 bytes in size, and the unpacked file is approximately 250KB in size. The worm is capable of infecting PE EXE files.
Installation
Once launched, the worm copies itself to the Windows system and root directories under the following names:
%windir%CDPlay.exe
%windir%Exploier.exe
%system%IEXPLORE.exe
%system%iexplorer.exe
%system%RAVMOND.exe
%system%WinHelp.exe
%system%spoolsv.exe
%system%Update_OB.exe
%system%TkBellExe.exe
%system%hxdef.exe
%system%Kernel66.dll
It also creates a file named cdrom.com in the root directory of all accessible disks.
The worm may also create several copies of itself in the root directory of all accessible disks in ZIP format. The copies will be saved under random names.
Several copies of the worm will be registered as keys in the system registry, to ensure that these files are run each time the system is started.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "WinHelp"="%system%TkBellExe.exe" "Hardware Profile"=""="%system%hxdef.exe" "Microsoft Associates, Inc."=" "="%system%iexplorer.exe" "SystemTra"=""="%swindir%CdPlay.exe" "Shell Extension"=""="%system%spollsv.exe"
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
"COM++ System"="Exploier.exe"
A string is added to win.ini to ensure that a file named RAVMOND.exe will be launched automatically on system startup.
The worm changes the system registry values to ensure that when text files are opened, the worm will gain control.
txtfileshellopencommand
"default"="Update_OB.exe %1"
It also creates an additional key in the system registry to flag its presence in the system.
[HKLMSoftwareMicrosoftWindowsCurrentVersionMXLIB1]
Propagation via local networks.
The worm makes the Ó:windowsMedia folder accessible via the local network by saving it under the name \Media.
It copies itself to all accessible disks under the following names:
autoexec.bat
Cain.pif
client.exe
Documents and Settings.txt.exe
findpass.exe
i386.exe
Internet Explorer.bat
Microsoft Office.exe
mmc.exe
MSDN.ZIP.pif
Support Tools.exe
Windows Media Player.zip.exe
WindowsUpdate.pif
winhlp32.exe
WinRAR.exe
xcopy.exe
If the worm finds the P2P client Kazaa on the victim machine, it will copy itself to the file-sharing folder under the following names:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
or under a random name.
The file extension will be chosen at random from the following list:
BAT
EXE
PIF
SCR
The worm attempts to copy itself to all accessible computers which it finds on the local network. To do this, it attempts to gain access to resources in the Admnistrator account. It uses the passwords listed below to attempt to gain access:
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
123abc
123asd
2003
2004
2600
321
54321
654321
666666
888888
88888888
a
aaa
abc
abc123
abcd
abcdef
abcdefg
admin
Admin
admin123
administrator
Administrator
alpha
asdf
asdfgh
computer
database
enable
god
godblessyou
guest
Guest
home
Internet
Login
login
love
mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
password
Password
pc
pw
pw123
pwd
root
secret
server
sex
sql
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv
If the worm manages to establish a connection, it copies itself to admin$system32NetManager.exe and launches this file as the Windows Management Network Service Extensions service.
Propagation via email
The worm will answer all messages it detects in the 'Incoming' folder by sending an infected email to these addresses. It also harvests email addresses from files with the following extensions:
wab
htm
pl
adb
tbb
dbx
asp
php
sht
htm
Infected messages:
Message header (chosen at random from the list below)
Mail failed. For further assistance, please contact!

The message sent as a binary attachment.

It's the long-awaited film version of the Broadway hit.

The message contains Unicode characters and has been sent as a binary attachment.
Attachment name (chosen at random from the list below):
I am For u.doc.exe
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
Message body:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don',27h,'t deal in lies,
Or, being hated, don',27h,'t give way to hating,
And yet don',27h,'t look too good, nor talk too wise;
all ... more look to the attachment.
Other
The worm terminates all processes which contain the following text in their names:
Duba
Gate
KAV
kill
KV
McAfee
NAV
RavMon.exe
Rfw.exe
rising
SkyNet
Symantec
and
Rising Realtime Monitor Service
Symantec Antivirus Server
Symantec Client
Other
The worm harvests information about the victim machine and saves it in a file named c:Netlog.txt which is then sent by email to the worm's author.
It installs a backdoor on TCP port 6000 to receive commands.
The worm contains the text string:
I-WORM-ffff Running!
The worm searches all accessible disks from C: to Z: for files with the extension *.exe. It then changes the extension to *.zmx, and ascribes the function hidden/ system to these files. It then copies itself to the original files under the original name.

Check other viruses! Be aware! Use Antiviral Software

BootCOM.357

Description BootCOM.357

This is memory resident multipartite virus. It hits COM files as well as system sectors (boot or/and MBR).
On execution of infected file this virus hits MBR of hard drive. On loading from infected MBR it hooks INT 13h, then it waits for loading of the first EXE-file and hooks INT 21h. Then it writes itself at the end of COM-files are executed. It contains the internal text string: "[Max]".

BootCOM.Peanut

Description BootCOM.Peanut

This is memory resident multipartite virus. It hits COM files as well as system sectors (boot or/and MBR).
It's a harmless memory resident multipartite virus. On execution of infected file it hits MBR of hard drive. On loading from infected disk it hooks INT 13h, 21h and writes itself at the end of COM-files are executed and hits boot sectors of floppy disks.

Home