Virus Database

TME.643

Description TME.643

It is a harmless nonmemory resident polymorphic worm. Being executed it creates and writes itself to the TME.COM file. Being executed from the TME.COM file, the virus overwrites it (renews its polymorphic code). The virus contains the string:
TME.COM

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Lovgate.c

Description I-Worm.Lovgate.c

I-Worm.Lovgate.a (aka Supnot.a) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a backdoor routine. There are several worm variants known which are very similar to each other.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by AsPack.
The compressed file size is about 79K, decompressed size - about 165K.
The worm activates from infected email only when a user clicks on the attached file. While spreading through local area networks the worm tries to run its remote copies by using WinNT functions.
When run the worm installs itself to the system, runs its spreading and backdoor routines.
Installing
While installing the worm copies itself to the Windows system directory under several names and registers these files in the system registry auto-run key (under WinNT) and/or in the "run" command in the WIN.INI file (under Win9x).
Worm copies have the following names:
rpcsrv.exe
syshelp.exe
winrpc.exe
WinGate.exe
WinRpcsrv.exe
The registry keys are:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"Run"="rpcsrv.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"syshelp"="%SystemDir%syshelp.exe"

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinGate initialize"="%SystemDir%WinGate.exe -remoteshell"
"Module Call initialize"="RUNDLL32.EXE reg.dll ondll_reg"

[HKCR xtfileshellopencommand]
"winrpc.exe %1"
Spreading: email
To spread in emails 'supnot' uses two different methods:
1. The worm looks for "*.HT*"-files (HTM, HTML) in the current directory, Windows directory and the "My Documents" directory (including subdirectories as well), scans them for email-like text strings and sends infected messages to addresses found. To send infected message the worm uses a direct connection to the default SMTP server, or connects to the "smtp.163.com" server.
Following are different variations of 'supnot' message attributes:
Subject:
Text:
Attachment:

Cracks!
Check our list and mail your requests!
CrkList.exe

The patch
I think all will work fine.
Patch.exe

Last Update
This is the last cumulative update.
LUPdate.exe

Do not release
This is the pack ;)
Pack.exe

Beta
Send reply if you want to be official beta tester.
_SetupB.exe

Help
I'm going crazyall please try to find the bug!
Source.exe

Evaluation copy
Test it 30 days for free.
Setup.exe

Pr0n!
Adult content!!! Use with parental advisory.
Sex.exe

Roms
Test this ROM! IT ROCKS!.
Roms.exe

Documents
Send me your comments...
Docs.exe


The worm gets emails from Inboxes and "answers" them by using Windows MAPI functions. Replies look like:
Subject: Re: [original email subject]
Text:

[user name] wrote:
====
> [original email text]
====
[email domain name] account auto-reply:

' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE [email domain name] account now! <

for example:

The attached file name is randomly selected from the following variants:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

Infecting Local Networks
The worm finds network resources (shared writeable disks and directories) and copies itself to them under randomly chosen names:
pics.exe SETUP.EXE
images.exe Card.EXE
joke.exe billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe

If a network resource is password protected it also tries to request 'write' access using the following information:

Login: "guest", "Administrator"
Password: "123", "321", "123456", "654321", "administrator", "admin",
"111111", "666666", "888888", "abc", "abcdef", "abcdefg", "12345678", "abc123"

If the login is successful the worm creates a remote copy of itself named "stg.exe" and tries to launch it on the remote computer.
Backdoor

Supnot launches a "backdoor" routine that uses the IPC (Interprocess Communication) technique: it creates a pipe connected to a command processor that is launched on the victim computer - CMD.EXE in Windows NT/2000/XP or COMMAND.COM in Windows 9x/ME. This allows the worm's "owner" to control the victim computer remotely.
The backdoor is launched three different ways:
as a thread in the worm's process
as a part of the "LSASS.EXE" process (under WinNT)
as stand-alone DLL-files "ily.dll", "Task.dll", "reg.dll" that are stored in the Windows system directory.
The three methods of executing the backdoor carry the identical payload routine.
Other
While sending e-mail messages, the worm creates a temporary file called "CH0016.TMP" in the Windows temporary directory.
The worm also sends a 'notification' e-mail to its "owner" that contains the infected computer's name, IP address, and current user name.
This email contains the following "copyright" string:
My I-WORM-and-IPC-20168 running!

I-Worm.Lovgate.w

Description I-Worm.Lovgate.w

This worm spreads via the Internet as an attachment to infected messages. It is written in MFC.
The worm itself is approximately 125KB in size, packed using ASPack. The unpacked file is approximately 205KB in size.
Installation
Once launched, the worm copies itself under several different names to the Windows system and root directories:
%system%Kernel66.dll
%system%IEXPLORE.exe
%system%hxdef.exe
%system%RAVMOND.exe
%windir%SYSTRA.exe
c:command.exe
It also saves its components in the following files:
%System%NetMeeting.exe
%system%spoolsv.exe
%SysDir%msjdbc11.dll
%SysDir%MSSIGN30.DLL
%SysDir%ODBC16.dll
%SysDir%Lmmib20.dll
It also creates a file named AUTORUN.INF in the root directory of all accessible disks.
The worm creates several copies of itself in ZIP or RAR format. These copies are saved under random names in the root directories of all accessible disks.
It registers several copies of itself in the system registry. This ensures that these copies will be launched every time Windows is restarted.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"WinHelp"="%System%WinHelp.exe"
"Hardware Profile"=""="%system%hxdef.exe"
"Microsoft NetMeeting Associates, Inc."="NetMeeting.exe"
"Program in Windows"="%System%IEXPLORE.EXE"
"Protected Storage"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
[HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows]
"run"="RAVMOND.exe"
It also creates the following system registry value:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
"SystemTra"="%Windir%Systra.exe"
It creates an additional registry value to flag its presence in the system:
HKLMSoftwareMicrosoftWindowsCurrentVersionMXLIB1
Propagation via local networks
It makes the Ó:windowsMedia folder accessible via the local network under the name \Media.
It copies itself to all network disks under the following names:
autoexec.bat
Cain.pif
client.exe
Documents and Settings.txt.exe
findpass.exe
i386.exe
Internet Explorer.bat
Microsoft Office.exe
mmc.exe
MSDN.ZIP.pif
Support Tools.exe
Windows Media Player.zip.exe
WindowsUpdate.pif
winhlp32.exe
WinRAR.exe
xcopy.exe
The worm attempts to copy itself to all local network machines by using the Adminstrator account. It uses the following passwords to attempt to gain access to the account:

!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
123abc
123asd
2003
2004
2600
321
54321



654321
666666
888888
88888888
a
aaa
abc
abc123
abcd
abcdef
abcdefg
admin
Admin
admin123
administrator
Administrator
alpha
asdf
asdfgh
computer
database
enable
god
godblessyou
guest
Guest
home
Internet
Login
login
love



mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
password
Password
pc
pw
pw123
pwd
root
secret
server
sex
sql
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv




If the worm succeeds in establishing a connection, it copies itself to admin$system32NetManager.exe and launches the file as 'Windows Management NetWork Service Extensions'.
Propagation via email
The worm sends itself to all addresses on emails in the Inbox. It also searches files with extensions listed below for email addresses to send itself to:
adb
asp
dbx
htm
htm
php
pl
sht
tbb
wab
Infected messages
Infected messages contain the following text:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
all ... more look to the attachment.

< Get your FREE <sender's domain>now! <
Attachment name (chosen at random from the list below):
Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif
The worm also sends itself using its own SMTP server.
Message header (chosen at random from the list below):
Error
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
test
Message body (chosen from those listed below):
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail failed. For further assistance, please contact!
Attachment name:
randomly generated, with one of the following extensions.
.exe
.scr
.pif
.cmd
.bat
.zip
.rar .
Other
It terminates processes containing the following text strings in their names:
Duba
Gate
KAV
kill
KV
McAfee
NAV
RavMon.exe
Rfw.exe
rising
SkyNet
Symantec

Rising Realtime Monitor Service
Symantec Antivirus Server
Symantec Client
The worm harvests information about the victim machine, saves it in a file named c:Netlog.txt and sends this file to the worm's author via email.
It installs a backdoor on TCP port 6000 to receive commands.
It launches an FTP server without login or password on a random port.
The worm searches all accessible disks from C: to Z: for files with the extension .exe. It then renames them as *.zmx, ascribes the attribute 'hidden/ system' to these files, and copies itself to the original files under the original names (working in the same way as companion viruses do.)

Home