W32/Lovgate.V@mm

description-logoAnalysis

  • Copies itself to the Windows folder as Systra.exe.
  • Copies itself to the System folder as the following:
    • Hxdef.exe
    • iexplore.exe
    • RAVMOND.exe
    • Kernel66.dll
    • WinHelp.exe

  • Creates the following files in the System folder:
    • ODBC16.dll
    • Msjdbc11.dll
    • MSSIGN30.DLL
    • LMMIB20.DLL

    Autostart Mechanism
  • Creates the following registry entries:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      Hardware Profile = "undefinedSYSTEMundefined\hxdef.exe"
      Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe"
      Program in Windows = "undefinedSYSTEMundefined\IEXPLORE.EXE"
      Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
      VFW Encoder/Decoder Settings = "RUNDLL32.exe MSSIGN30.DLL ondll_reg"
      WinHelp = "undefinedSYSTEMundefined\WinHelp.exe"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
      SystemTra = "undefinedWINDOWSundefined\Systra.exe"
    Note: undefinedSYSTEMundefined refers to the System folder, and undefinedWINDOWSundefined refers to the Windows folder.
    Email Propagation
  • Gathers email addresses from the following sources:
    • Windows Address Book
    • Temporary Internet files
    • files on all fixed and RAM disks, from Drives C to Y, that have the following extensions:
      • txt
      • htm
      • sht
      • php
      • asp
      • dbx
      • tbb
      • adb
      • pl
      • wab

  • Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
    From: The sender's name is randomly selected from a list that the worm carries.
    Subject: one of the following:
    • test
    • hi
    • hello
    • Mail Delivery System
    • Mail Transaction Failed
    • Server Report
    • Status
    • Error

    Message Body: one of the following:
    • It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
    • The message contains Unicode characters and has been sent as a binary attachment.
    • Mail failed. For further assistance, please contact!

    Attachment: Randomly constructed file name, with the following extensions:
    • exe
    • scr
    • pif
    • cmd
    • bat
    • zip
    • rar

  • Replies to all incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, including Microsoft Outlook. The email has the following format:
    Subject: Re: [Original Subject]
    To: [Original Sender's Email Address]
    Message Body:
    [Original Sender] wrote:
    ====
    > [Original Message Body]
    >
    ====
    [Original Sender's Domain] account auto-reply:
    > Get your FREE [Original Sender's Domain] now! <
    If you can keep your head when all about you
    Are losing theirs and blaming it on you;
    If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
    If you can wait and not be tired by waiting,
    Or, being lied about,don't deal in lies,
    Or, being hated, don't give way to hating,
    And yet don't look too good, nor talk too wise;
    ... ... more look to the attachment.
    Attachment: one of the following:
    • the hardcore game-.pif
    • Sex in Office.rm.scr
    • Deutsch BloodPatch!.exe
    • s3msong.MP3.pif
    • Me_nude.AVI.pif
    • How to Crack all gamez.exe
    • Macromedia Flash.scr
    • SETUP.EXE
    • Shakira.zip.exe
    • dreamweaver MX (crack).exe
    • StarWars2 - CloneAttack.rm.scr
    • Industry Giant II.exe
    • DSL Modem Uncapper.rar.exe
    • joke.pif
    • Britney spears nude.exe.txt.exe
    • I am For u.doc.exe

    Network Propagation
  • Copies itself to all network-shared folders and subfolders as any of the following:
    • WinRAR.exe
    • Internet Explorer.bat
    • Documents and Settings.txt.exe
    • Microsoft Office.exe
    • Windows Media Player.zip.exe
    • Support Tools.exe
    • WindowsUpdate.pif
    • Cain.pif
    • MSDN.ZIP.pif
    • autoexec.bat
    • findpass.exe
    • client.exe
    • i386.exe
    • winhlp32.exe
    • xcopy.exe
    • mmc.exe

  • Scans all the computers on the local network and attempts to log in as Administrator  using the following passwords:
    • Guest
    • Administrator
    • zxcv
    • yxcv
    • xxx
    • win
    • test123
    • test
    • temp123
    • temp
    • sybase
    • super
    • sex
    • secret
    • pwd
    • pw123
    • Password
    • owner
    • oracle
    • mypc123
    • mypc
    • mypass123
    • mypass
    • love
    • login
    • Login
    • Internet
    • home
    • godblessyou
    • god
    • enable
    • database
    • computer
    • alpha
    • admin123
    • Admin
    • abcd
    • aaa
    • 88888888
    • 2600
    • 2004
    • 2003
    • 123asd
    • 123abc
    • 123456789
    • 1234567
    • 123123
    • 121212
    • 11111111
    • 110
    • 007
    • 00000000
    • 000000
    • pass
    • 54321
    • 12345
    • password
    • passwd
    • server
    • sql
    • !@#$undefined^&*
    • !@#$undefined^&
    • !@#$undefined^
    • !@#$undefined
    • asdfgh
    • asdf
    • !@#$
    • 1234
    • 111
    • root
    • abc123
    • 12345678
    • abcdefg
    • abcdef
    • abc
    • 888888
    • 666666
    • 111111
    • admin
    • administrator
    • guest
    • 654321
    • 123456
    • 321
    • 123

  • If the worm successfully logs on to the remote computer, it attempts to copy itself as:
    \\<Remote Computer Name>\admin$\system32\netservices.exe
    then starts the file as the service Microsoft NetWork FireWall Services.
    Backdoor and/or Trojan Behavior
  • Terminates all processes that contain any of the following strings:
    • KV
    • KAV
    • Duba
    • NAV
    • kill
    • RavMon.exe
    • Rfw.exe
    • Gate
    • McAfee
    • Symantec
    • SkyNet
    • rising

  • Injects a thread into Explorer.exe  or Taskmgr.exe. If the thread detects that the worm is not running or has been deleted, it attempts to copy and execute itself.
  • Creates a network share Media, which points to undefinedWINDOWSundefined\Media.
    Note: undefinedWINDOWSundefined refers to the Windows folder.

recommended-action-logoRecommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2021-05-25 86.00433
2021-04-20 85.00593
2021-03-11 84.00638
2021-02-08 83.89200 Sig Added
2020-09-29 80.72800 Sig Updated
2020-09-22 80.56100 Sig Updated
2020-09-15 80.39200 Sig Updated
2020-09-08 80.22400 Sig Updated
2020-07-30 79.27200 Sig Updated
2020-07-26 79.17700 Sig Updated