MessageLabs is reporting this is a mass-mailing virus that incorporates an SMTP engine, and may be able to spread via network shares as well as email. Once activated, the virus appears to reply to any emails it finds in the recipients in-box, attaching itself to the reply.
From the copies that MessageLabs have intercepted, the email may be composed as follows:
Subject names appear to be based on existing emails that are in reply, and therefore random.
The file attachment is written in Microsoft Visual C/C++ and is compressed using ASPack and is 107,008 bytes in size.
Attachment file names may include:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
The virus is presently most active in South Korea and Germany. For more information, including daily graphs and statistics of virus activity, visits this MessageLabs page.
Sophos has listed the virus as W32/Lovgate-E, and says it may also have one of the following filenames, since these are the names used for the email attachment:
pics.zip.scr
images.pif
readme.txt.pif
interesting.exe
source.exe
you_are_fat.txt.pif
enjoy.exe
doom3 preview!!!.exe
driver.exe
about_me.txt.pif
Read more on this Sophos page.
According to Trend Micro, this Aspack-compressed worm propagates through network shares by dropping copies of itself to shared folders with read/write access.
It also spreads through email by replying to all new messages received in Microsoft Outlook and Outlook Express. Read more on this Trend Micro page.
Lovgate.F is difficult to recognize because it does not display any messages or warnings that indicate that it has infected a computer, according to Panda Software. Read more on this Panda Software page.
For more on the various Lovgate variants, visit this F-Secure page.
New Variant of Vote.D Voices More on WTC Tragedy
A new variant of Vote virus Vote.D has been found, according to F-Secure. Vote.A disguises itself as WTC pictures, trying to remind and frighten readers about the WTC tragedy. This simple virus was written by a teenager, according to F-Secure.
The original Vote virus was found on Sept. 24, 2001, 13 days after the WTC tragedy. The worm uses standard Windows Mail API to access the user's address book. This affects users of MAPI compatible e-mail clients, mainly Microsoft Outlook.
The e-mails sent by the worm appear as follows:
From: name-of-the-infected-user
To: random-name-from-address-book
Subject: Fwd:Peace BeTween AmeriCa and IsLaM !
Hi
iS iT waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.exe
Read about the various ways the virus attempts to disable antivirus software programs on this F-Secure page.
Worm_Cult.A Sends Email Announcing Phony eCard
Trend Micro also was reporting the appearance Monday of Worm_Cult.A, a non-memory resident worm that spreads via the Kazaa peer-to-peer file-sharing network.
It also emails copies of itself to addresses with the following domains:
email.com
Earthlink.net
Roadrunner.com
yahoo.com
msn.com
hotmail.com
It sends email with the following format:
Subject: Hi, I sent you an eCard from BlueMountain.com
Message Body:To view your eCard, open the attachment
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd
Thanks for using BlueMountain.com.
Attachment: BlueMountaineCard.pif
It spoofs the "from" field on its email messages, randomly selecting from a list of 94 strings in its body. This worm, which runs on Windows 95, 98, ME, NT, 2000, and XP, drops a backdoor component detected by Trend Micro as BKDR_CULT.A.
For more information, visit this Trend Micro page.
Compiled by Esther Shein.
Loading Comments...