LovGate worm opens backdoor, hits network shares

Variants of the LovGate worm are starting to spread.

A new Internet pest is packing quite a double punch, as it's both a mass-mailing worm and a backdoor program.

LovGate-C employs a unique twist of social engineering to entice mail recipients to open infected messages. It can also spread via network file shares and opens a system back door so attackers can gain control of infected computers.

As of Monday morning, LovGate-C was coming on strong in Taiwan, Australia, France and Japan, according to Tokyo-based antivirus software vendor Trend Micro Inc. LovGate-C is the third variant of the worm but the first to make much progress, said Mikko Hypponen, manager of antivirus research for F-Secure of Finland.

It appears the writer has been trying out different variations. The first two variants, which appeared last week, didn't spread much. LovGate-C appeared around 1 a.m. EST Monday. A fourth variant surfaced around 8 a.m. EST Monday, Hypponen said.

As of 10 a.m. EST today, e-mail scanning outsourcer MessageLabs had intercepted 2,855 copies of LovGate-C, making it the fifth most prevalent worm in the preceding 24 hours, according to the company's records.

After infecting a system, LovGate-C replies to all messages in the user's Microsoft Outlook inbox. It fashions the messages so they appear to be auto-replies. In many cases, the messages would look pretty strange because the body text is set up to appear as if it comes from an e-mail service like MSN, AOL or Yahoo, said Chris Wraight, technology consultant at antivirus vendor Sophos.

So the message would look like this, if the message in the inbox is from a Yahoo mail account:


YAHOO.COM Mail auto-reply:

' I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! '

Get your FREE YAHOO.COM Mail now

Unlike other worms that use the mail servers of infected users to spread, LovGate-C actually spreads using an open e-mail relay in China that is popular with spammers, Hypponen said. The spread of the worm would be greatly curtailed if the server's operators shut it down. Requests to them to do so have been fruitless, he said.

LovGate-C also spreads via network shares, dropping itself into shared folders. It uses one of the following file names:


fun.exe
humor.exe
docs.exe
s3msong.exe
midsong.exe
billgt.exe
Card.EXE
SETUP.EXE
searchURL.exe
tamagotxi.exe
hamster.exe
news_doc.exe
PsPGame.exe
joke.exe
images.exe
pics.exe

Besides spreading itself, the worm also drops a backdoor program that opens up port 10168. The worm writers or other attackers can gain user-level control of the system by using the back door. Yet this probably wouldn't affect users who are behind a firewall, Hypponen said.

Preventing infection is not difficult. Blocking executables would prevent infection from e-mail messages. Making sure network shares are protected is also critical. Companies can also screen for the specific file names it uses. Being a careful e-mail reader is also a good defense. The author of LovGate-C made a classic worm-writer error. The message accompanying the worm has a telltale grammatical error ("a look to the attachment"), Wraight said.


FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Worms off to a fast start in 2003"

SearchSecurity.com technical tip: "Ethical worms: A bad idea"

Best Web Links on malicious code

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close