Initial analysis suggests this is a mass-mailing virus that incorporates an SMTP engine and a backdoor component. The virus contains its own SMTP engine, which it uses to deliver its email.
When activated, the virus may try to reply to any emails it finds in the recipient's in-box, attaching itself to the email. It also appears able to harvest passwords from the recipient's machine, which may then be emailed to a number of email contacts.
The backdoor component may open TCP port 10168, allowing the machine to be controlled remotely. In addition to the SMTP engine, it may also have the ability to spread via various network shares.
For a graph showing details of the hourly catch of Lovgate.C, visit this MessageLabs Web page.
Eikam Virus Infects Word Documents
Eikam is a macro virus that infects Microsoft Word documents, as well as the global template used by this program, according to Panda Software.
Eikam uses the normal means of infection used by macro viruses. First, it infects the global template. Then, it infects all the documents opened, closed or saved in the affected computer. This malware also disables the macro antivirus protection contained in Word.
Read visible symptoms on this Panda Software page.
An alert for Eikam has also been issued by Sophos, which says the virus will set certain registry entries on particular days of the month. Read what they are here.
Oror-R Attempts to Exploit IE Vulnerability
Sophos also issued an alert Tuesday for W32/Oror-R, an Internet worm that spreads via network shares, file sharing on KaZaA networks and by emailing itself to addresses found within files on the local hard drive. The email subject line, message text and attachment filename are randomly chosen.
The worm attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email is selected for viewing.
To prevent re-infection, users of Microsoft Outlook and Outlook Express should install this patch available from Microsoft.
This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm. The worm copies itself to the Windows folder with a name that is a combination of 'Cmd,' the computer's name backwards and "16.exe," "32.exe" or ".exe". For example if the computer's name is "test," the worm copies itself as Cmdtset16.exe.
Find out more on this Sophos page.
Worm_GIBE.B Disguises Itself as Security Patch
This worm propagates through email, Kazaa file-sharing network, and the Internet Relay Chat application similar to mIRC. When spread via email, it gets its recipients from email addresses listed in the Windows Address Book and addresses remotely retrieved from certain news servers.
This worm arrives as an email disguising itself as a security patch from Microsoft. It has a random subject, message body and attachment name.
See technical details on this Trend Micro page.
Compiled by Esther Shein.
Loading Comments...