AnVir Software
HomeProductsScreenshotsDownloadBuy AwardsSupportForum

Virus Lovgate

Lovgate is a mass-mailing worm that emails itself to all the email addresses that it finds on the computer.
It copies itself as these files:
  • %Windir%\Systra.exe
  • %System%\Hxdef.exe
  • %System%\iexplore.exe
  • %System%\RAVMOND.exe
  • %System%\Kernel66.dll, with attributes set to Read Only, Hidden, and System.
  • %System%\WinHelp.exe
  • %System%\spollsv.exe
  • C:\COMMAND.EXE

    Notes:
    %Windir% is a variable: The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. %System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    Creates the files:
  • %System%\ODBC16.dll
  • %System%\Msjdbc11.dll
  • %System%\MssIGN30.DLL
  • %System%\LMMIB20.DLL
  • %System%\NetMeeting.exe

    Adds the values:
  • "Shell Extension" = "%system%\spollsv.exe"
  • "Hardware Profile"="%System%\hxdef.exe
  • "Microsoft NetMeeting Associates, Inc."="NetMeeting.exe"
  • "Program in Windows"="%System%\IEXPLORE.EXE"
  • "Protected Storage"="RUNDLL32.EXE MssIGN30.DLL ondll_reg"
  • "VFW Encoder/Decoder Settings"="RUNDLL32.exe MssIGN30.DLL ondll_reg"
  • "WinHelp"="%System%\WinHelp.exe"
  • "ssgrate.exe"="%System%\system.exe"
  • "run" = "%system%\RAVMOND.exe"

    to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the worm runs when you start Windows.

    Adds the value: "SystemTra"="%Windir%\Systra.exe"
    to the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices

    Adds the values: "run"="RAVMOND.exe"
    to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\ Windows

    It monitors the process list and tries to termintate some antivirus programs.

    Copies itself to all the network-shared folders and subfolders.

    Replies to all the incoming messages when they arrive in the mailbox. Scans the system WAB file, temporary Internet files, and all the fixed and ram disks, and it sends itself to all the email addresses that it found.

    Creates the service, "Windows Management Protocol v.0 (experimental)", which is mapped to "Rundll32.exe msjdbc11.dll ondll_server". Creates the service, "_reg", which is mapped to "Rundll32.exe msjdbc11.dll ondll_server".

    The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
    ADMIN$\SYSTEM32\NETMANAGER.EXE and remotely executing it as a service.





    © Copyright 2000-2008 AnVir Software. All Rights Reserved.