W32/Lovgate.R@mm
Analysis
Specifics
This virus is 32-bit with a packed file size of 128,000
bytes. This virus contains code to reply to unread email
messages in the MAPI Outlook inbox and send an infected
attachment. The virus will also search the hard drive
for email addresses and send a composed email message
with an infected attachment to addresses found; the
virus uses its own SMTP code to perform this function.
The virus can spread to other systems across a network LAN/WAN by using imports to MPR.DLL to enumerate machines connected to that network. The virus could attempt to spread to shares using NetBIOS to potential target systems.
The virus makes itself available to Kazaa patrons by copying itself into the shared folder location. Kazaa users which search for file names matching the name used by the virus are susceptible to downloading the virus.
The virus carries a password stealing Trojan which is extracted when the virus is run. The Trojan may send logon credentials to a hard-coded email address.
Loading At Windows Startup
If virus is run, it will copy itself to the local system
and then register to auto run at next Windows restart
-
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows
"run" = RAVMOND.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Hardware Profile" = "C:\WINNT\System32\hxdef.exe"
"Microsoft NetMeeting Associates, Inc." =
"NetMeeting.exe"
"VFW Encoder/Decoder Settings" = "RUNDLL32.EXE
MSSIGN30.DLL ondll_reg"
"Program In Windows" = "C:\WINNT\System32\IEXPLORE.EXE"
"Shell Extension" = "C:\WINNT\System32\spollsv.exe"
"Protected Storage" = "RUNDLL32.EXE MSSIGN30.DLL
ondll_reg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\IMAIL
"Installed" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\MAPI
"NoChange" = "1"
"Installed" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OptionalComponents\MSFS
"Installed" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"SystemTra"="C:\WINNT\SysTra.EXE"
The virus will create additional keys on Windows NT based systems to load the virus as a service at Windows startup -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
"DisplayName" = _reg
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = Rundll32.exe msjdbc11.dll ondll_server
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg\Security
"Security" = (hex values)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
"MEDIA" = (hex values)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows
Management Protocol v.0 (experimental)
"Description" = Windows Advanced Server. Performs
scheduled scans for LANguard.
"DisplayName" = Windows Management Protocol
v.0 (experimental)
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = Rundll32.exe msjdbc11.dll ondll_server
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)\Security
"Security" = (hex values)
Network Spread Capability
This virus can enumerate systems across a network LAN/WAN
- systems found are targets for the virus. Using the
existing NetBIOS framework, the virus will attempt to
log on to systems using a table of possible passwords.
The virus will try to access the systems via the IPC$
and Admin$ shares.
Email Auto-replies/Mass-mailing Capability
The virus will monitor incoming email and reply to each
message with its own message and attach a copy of the
virus. Emails may be sent in this format, as a reply
to an original message in the MAPI Outlook inbox -
Subject: Re: undefinedoriginal subjectundefined
Body:
====
undefinedemail domain nameundefined auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... morelook to the attachment.
> Get your FREE undefinedemail domain nameundefined account now!
<
Attachment: undefinedinfected fileundefined
Password Stealing Component
The virus will extract an embedded DLL to the infected
system - this DLL component contains instructions to
send logon credentials to a hard-coded email address.
The Trojan component may log into the email server SMTP.163.COM
and send data to the address 'hello_zyx@163.com'. The
Trojan component is identified as W32/Lovgate-dll.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to internal traffic using TCP ports 139 and 445
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |