W32/Lovgate.R@mm

description-logoAnalysis


Specifics
This virus is 32-bit with a packed file size of 128,000 bytes. This virus contains code to reply to unread email messages in the MAPI Outlook inbox and send an infected attachment. The virus will also search the hard drive for email addresses and send a composed email message with an infected attachment to addresses found; the virus uses its own SMTP code to perform this function.

The virus can spread to other systems across a network LAN/WAN by using imports to MPR.DLL to enumerate machines connected to that network. The virus could attempt to spread to shares using NetBIOS to potential target systems.

The virus makes itself available to Kazaa patrons by copying itself into the shared folder location. Kazaa users which search for file names matching the name used by the virus are susceptible to downloading the virus.

The virus carries a password stealing Trojan which is extracted when the virus is run. The Trojan may send logon credentials to a hard-coded email address.


Loading At Windows Startup
If virus is run, it will copy itself to the local system and then register to auto run at next Windows restart -

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run" = RAVMOND.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Hardware Profile" = "C:\WINNT\System32\hxdef.exe"
"Microsoft NetMeeting Associates, Inc." = "NetMeeting.exe"
"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
"Program In Windows" = "C:\WINNT\System32\IEXPLORE.EXE"
"Shell Extension" = "C:\WINNT\System32\spollsv.exe"
"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\IMAIL
"Installed" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\MAPI
"NoChange" = "1"
"Installed" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\MSFS
"Installed" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"SystemTra"="C:\WINNT\SysTra.EXE"

The virus will create additional keys on Windows NT based systems to load the virus as a service at Windows startup -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
"DisplayName" = _reg
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = Rundll32.exe msjdbc11.dll ondll_server
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg\Security
"Security" = (hex values)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
"MEDIA" = (hex values)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)
"Description" = Windows Advanced Server. Performs scheduled scans for LANguard.
"DisplayName" = Windows Management Protocol v.0 (experimental)
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = Rundll32.exe msjdbc11.dll ondll_server
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)\Security
"Security" = (hex values)


Network Spread Capability
This virus can enumerate systems across a network LAN/WAN - systems found are targets for the virus. Using the existing NetBIOS framework, the virus will attempt to log on to systems using a table of possible passwords. The virus will try to access the systems via the IPC$ and Admin$ shares.


Email Auto-replies/Mass-mailing Capability
The virus will monitor incoming email and reply to each message with its own message and attach a copy of the virus. Emails may be sent in this format, as a reply to an original message in the MAPI Outlook inbox -

Subject: Re: undefinedoriginal subjectundefined
Body:
====
undefinedemail domain nameundefined auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... morelook to the attachment.

> Get your FREE undefinedemail domain nameundefined account now! <
Attachment: undefinedinfected fileundefined

Password Stealing Component

The virus will extract an embedded DLL to the infected system - this DLL component contains instructions to send logon credentials to a hard-coded email address. The Trojan component may log into the email server SMTP.163.COM and send data to the address 'hello_zyx@163.com'. The Trojan component is identified as W32/Lovgate-dll.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block external to internal traffic using TCP ports 139 and 445

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR