anti-virus research and guidance
|
|
|
|
Lovgate.Y infectionvectors.com July 2004 Infection Vectors: Mass Mail, Files Shares Impact: High (backdoor, quick file share infestation, renames executables) Description: Lovgate.Y, in the proud tradition of the Lovgate variants, travels in a familiar fashion: via a mass mail routine and through network file shares (including KaZaA). As in the case of other versions of this virus, Lovgate.Y can travel very quickly through LANs with unprotected network shares. It will open a backdoor to the infected machine, attempt to email system information about compromised hosts back to the author, and vandalize mapped drives. Lovgate.Y does the following: -Copies itself (including backdoor components) into multiple locations on the Windows system, with the corresponding Registry entries (See below). -Creates a new share, named “media” and places a copy of the virus into every existing network share. -Kills certain virus/antivirus services by terminating any running process with the following strings: KV, KAV, McAfee, Symantec, SkyNet, rising, Ravmon, rfw, kill, duba, gate, NAV. -Attempts to connect to all LAN devices via ADMIN$ share with weak passwords (includes a password list). If successful, drops a copy of the virus in the SYSTEM folder and execute the file. -Will respond (via user’s mail client) to all received emails with an email containing a copy of the virus and the now familiar Lovgate message body:
If
you can keep your head when all about you
-Mass mails itself to every address harvested from the local machine (internal SMTP engine). -Searches for the KaZaA folder, and copies itself there as well. -Opens TCP 6000 as a listening port for the backdoor; will email system information gathered from infected machine (copy stored in C:\netlog.txt). In an effort to guarantee execution of the worm, Lovgate.Y will rename executables from and extension of EXE to ZMX. It will then copy the worm (with the original filename including EXE) to the location of the renamed file. This will make any shortcut pointing to the original file execute another copy of the worm when opened. Blocking
Lovgate.Y: The mass mailed copies of this worm can be blocked by dropping files with any of the following extensions: EXE, BAT, PIF, SCR, CMD, ZIP. Keeping ALL network file shares and administrator accounts protected with strong passwords will block the file share vector. The use of KaZaA is strongly discouraged in a secure setting; any files retrieved with this service are suspect for viral infections. Mitigating
Lovgate.Y Infections: Ensure strong password protection for administrator accounts and file shares of all kinds. Block inbound sessions on TCP 6000. Prevent workstations from accessing TCP 25 directly (to prevent mass mails). Registry Entries Created: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Program in Windows"="%system%\iexplore.exe" Windows 95-ME: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Windows NT4-XP: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"run"="RAVMOND.exe" |
Copyright Ó 2004 infectionvectors.com. All rights reserved.
