WORM_LOVGATE.E

Malware type: Worm

Aliases: I-Worm.LovGate.ah, HLLM.Lovgate.18, I-Worm.Win32.Lovgate.171520

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm propagates via network shares and email. Upon execution, it drops multiple copies of itself. It also drops .DLL files associated with WORM_LOVGATE.Q.

It creates several registry entry to ensure its execution at every Windows startup and every time a .TXT file is opened.

To propagate via network shares, this worm drops copies of itself in accessible shared folders as an executable file or as a WinRar-compressed file using any of several filenames and extensions.

It may also drop copies in random folders on a system, using up disk space.

To propagate via email, it uses its own SMTP engine. The email it sends out has the following details:

From: (Spoofed)

Subject: (any of the following)
Delivery Status Notification (Delay)
Hi
Error
Mail Transaction Failed
Test

Message body: (any of the following)

This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has failed:

The message contains Uniocode characters and has been sent as a binary attachment.

Mail failed. For further assistance, Please contact!

It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

Attachments (any of the following filenames)

Body
data
Doc
Document
File
Message
Readme
Test
Text

The attachment may have any of the following filename extensions:

bat
Cmd
com
Exe
Pif
scr
Zip

It may also send out email with blank subject ang message body. Additionaly, it may send a randomly named file as attachment.

This worm runs on Windows NT, 2000, and XP.

For additional information about this threat, see:

Description created: Aug. 11, 2004 7:13:01 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 171,520 Bytes (Compressed with PE Compact, then with Aspack)

Initial samples received on: Aug 11, 2004

Related toWORM_LOVGATE.Q

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm drops the following copies of itself:

  • %System Root%\upDate.exe
  • %System%\hxdef.exe
  • %System%\IEXPLORE.EXE
  • %System%\kernel66.dll
  • %System%\real.exe
  • %System%\TkBellExe.exe
  • %System%\Update_OB.exe
  • %Windows%\Video.EXE

(Note: %System Root% refers to the root directory, which is usually C:\. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It also drops the following .DLL files associated with WORM_LOVGATE.Q:

  • %System%\msjdbc11.dll
  • %System%\ODBC16.dll

To ensure execution at every Windows startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WinHelp = "%System%\TkBellExe.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Soft Profile Inc = "%System%\hxdef.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Inc. = "iexplorer.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Program In Windows = "%System%\IEXPLORE.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
SystemTra = "%Windows%\Video.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Installed shell32.dll = "Office.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Windows
Run = "real.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Run = "real.exe"

It also modifies the file association of text files (*.TXT) in the registry to execute its dropped copy every time a .TXT file is opened.

Propagation via Network Shares

This worm drops copies of itself in accessible shared folders as an executable file or as a WinRar-compressed file. It may use any of the filenames in the following partial list:

  • autoexec
  • Daemon Tools v3.41
  • EnterNet 500 V1.5 RC1
  • FoxMail V5.0.500.0
  • i386
  • Microsoft Office
  • Winamp skub_FinalFantasy
  • Windows Media Player.zip
  • WinGate V5.0.10 Build
  • WINISO 5.3
  • eMule-0.42e-VeryCD0407Install
  • Support Tools
  • Minilyrics_Std_2.7.233
  • Flash2X Flash Hunter v1.1.2
  • Windows 2000 sp4.ZIP
  • Serv-U FTP Server 4.1
  • Winamp skin_FinalFantasy

The above filenames may have any of the following filename extensions:

  • Bat
  • Cmd
  • Com
  • Exe
  • Pif
  • Rar

It may also drop copies in random folders on an infected system, using up disk space.

Propagation via Email

This worm uses its own SMTP engine to propagate via email. The email it sends out has the following details:

From: (Spoofed)

Subject: (any of the following)
�Delivery Status Notification (Delay)
�Hi
�Error
�Mail Transaction Failed
�Test

Message body: (any of the following)

This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has failed:

The message contains Uniocode characters and has been sent as a binary attachment.

Mail failed. For further assistance, Please contact!

It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

Attachments (any of the following filenames)

�Body
�data
�Doc
�Document
�File
�Message
�Readme
�Test
�Text

The attachment may have any of the following filename extensions:

�bat
�Cmd
�com
�Exe
�Pif
�scr
�Zip

It may also send out email with blank subject ang message body. Additionaly, it may send a randomly named file as attachment.

Other Details

This worm is compressed twice, producing two samples of different sizes. It is first compressed with PE Compact (165,888 bytes), then with Aspack (171,520 bytes).




Analysis by: Joseph Cepe

Revision History:

First pattern file version: 4.780.03
First pattern file release date: Oct 17, 2007

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 4.781.00

Pattern release date: Oct 17, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:
Refer to the Clean Solution for WORM_LOVGATE.Q.

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Restarting in Safe Mode

� On Windows 95

  1. Restart your computer.
  2. Press F8 at the Starting Windows 95 message.
  3. Choose Safe Mode from the Windows 95 Startup Menu then press Enter.

� On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

� On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

� On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

� On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the following entries:
    WinHelp = "%System%\TkBellExe.exe"
    Soft Profile Inc = "%System%\hxdef.exe"
    Microsoft Inc. = "iexplorer.exe"
    VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
    Program In Windows = "%System%\IEXPLORE.EXE"
    Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    SystemTra = "%Windows%\Video.EXE"
    Installed shell32.dll = "Office.exe"

    (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows NT>CurrentVersion>Windows
  7. In the right panel, locate and delete the entry:
    Run = "real.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  9. In the right panel, locate and delete the entry:
    Run = "real.exe"
  10. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Addressing Registry Shell Spawning

This procedure prevents the malware from executing whenever a user opens files with certain extension names. It should restore the registry to its original settings.

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>txtfile>shell>open>command
  5. In the right panel, locate the registry entry:
    Default
  6. Check whether its value is the path and file name of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%System%\noteppad.exe" %*
  9. Close Registry Editor.
  10. Click Start>Run, then type:
    command /c del regedit.com
  11. Press Enter.

Enabling Show All Files

This procedure allows you to access hidden malware files using Windows Explorer.

� On Windows NT

  1. Open Windows Explorer. Right-click Start then click Explore.
  2. On the View menu, click Options or Folders Options.
  3. Click the View tab.
  4. Select Show all files, then click OK.

� On Windows 2000 and XP

  1. Open Windows Explorer. Right-click Start then click Explore.
  2. On the Tools menu, click Folder Options.
  3. Click the View tab.
  4. Select Show hidden files and folders, then click OK.

Deleting Malware Files

  1. Right-click Start then click Search� or Find�, depending on the version of Windows you are running.
  2. In the Named input box, type:
    upDate.exe
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press Delete.
  5. Repeat the procedure for the following filenames:
    AUTORUN.INF
    hxdef.exe
    IEXPLORE.EXE
    iexplorer.exe
    kernel66.dll
    msjdbc11.dll
    MSSIGN30.DLL
    ODBC16.dll
    Office.exe
    real.exe
    temp.uuu
    TkBellExe.exe
    Update_OB.exe
    Video.EXE
    winPatch.dll

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_LOVGATE.E. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.