By mimicking an autoreply message where it attaches itself, recipients are enticed into opening the malware attachment since the mimicked message arrives as a reply to a familiar message.
This variant is also hiding itself under various names in shared network folders on the infected computer, according to Panda Software, which considers it a very low threat. Lovgate.C reaches computers in an attachment to an e-mail message with a variety of formats:
Subject: Documents
Attachment: Docs.exe
Message text: Send me your comments...
Subject: Pr0n!
Attachment: Sex.exe
Message text: Adult content!!! Use with parental advisory.
Subject: Evaluation copy
Attachment: Setup.exe
Message text: Test it 30 days for free.
When Lovgate.C is run it creates copies of itself with random names such as fun.exe, humor.exe or docs.exe in shared network folders. Lovgate.C is programmed to answer unread messages in the inbox of the e-mail client, sending an infected attachment along with the text:
YAHOO.COM Mail auto-reply: 'I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion!'
This malicious code also has certain characteristics of a Trojan, acting as a backdoor by opening a TCP/IP port (usually 10168), which could allow a hacker to gain remote access to the computer. When it does, Lovgate.C sends a message to hacker117@163.com.
Similarly, this worm makes a number of entries in the Windows Registry to ensure it is run on every system start-up. Read more about the effects of Lovgate.C on this Panda Software Web page.
According to F-Secure, in all variants A, B and C, a dropped dll sets another copy of the backdoor on port 1192. It sends the private information to the following addresses:
hello_dll@163.com
hacker117@163.com
The worm has its own SMTP engine and connects to the host smtp.163.com to deliver its messages. The domain 163.com seems to be a Chinese Web portal. Check here to see the usernames and passwords it tries if the shares are password protected.
Avert Labs is also issuing an advisory for the worm today under the alias W32/Lovgate@M, and is giving it a medium risk assessment because of its prevalence.
In addition to replying to messages via its own SMTP engine, the worm will also attach itself to the message as any one of the files listed below. For example, if you find a message in your Inbox from '???@wherever.com' the worm will reply to the message as follows:
Wherever.com account auto-reply: I'll try to reply as soon as possible. Take a look at the attachment and send me your opinion!' >Get your Free wherever.com account now! <
What is noteworthy is that the domain 'wherever.com' has been used by the worm in its message body. Aside from replying to messages, strings within the worm suggest it is intended to mail itself from the victim machine. This has not been observed in Avert Labs' testing, and so the worm is detected with the @M suffix.
Aside from the mailing component, read about the worm and backdoor components here.
Sophos has detected the worm as W32/Lovgate-B, and also lists the following aliases: Lovgate-C, I-Worm.Supnot.c, W32.HLLW.Lovgate.C@mm, WORM_LOVGATE.C and W32/Lovgate.C@M. Read removal instructions can be found here.
The worm is being given a medium risk alert by Trend Micro, which says it has received infection reports from Taiwan, Australia, France and Japan. View a template of the message here.
The worm will perform additional actions if the infected computer runs Windows NT, 2000, or XP, according to Symantec. Read technical details here.
W32/Gibe-D Drops Files onto Hard Drive
W32/Gibe-D is a worm that spreads by sending out email and by making itself available for download via the KaZaA peer-to-peer file sharing system, according to Sophos.
W32/Gibe-D also makes copies of itself, including multiple copies in your KaZaA folder. These files may have a variety of names. View them here.
New Version of Roro Worm Making Rounds
Roron Version 5.1 (according to internal numbers) appeared in the beginning of 2003. The first sample of this worm was from France.
Version 5.1 has similar functionalities as the Roro.P (version 4.1) worm. The description of Roro.P worm can be found here.
However, there are a few differences in version 5.1 compared with version 4.1 of Roro worm:
1. The worm now displays one of its four fake error messages when its file is started for the first time:
Or:
Or:
Or:
2. The new worm variant has several additional message templates that it uses to send itself from an infected system:
The worm has several different body text messages. Read them as well as the other characteristics of Version 5.1 here.
Compiled by Esther Shein.
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted. Please contact the program vendor or the web site (www.WinZip.com) for additional information.
Windows
Cannot open file: it does not appear to be a valid program
If you downloaded this file, try downloading file again.
Error Starting Program
The
Windows
From:
greetings@kefche.com
Subject:
Preotkrii sebe si
Loading Comments...