A new Internet pest is packing quite a double punch, as it's both a mass-mailing worm and a backdoor program.
LovGate-C employs a unique twist of social engineering to entice mail recipients to open infected messages. It can also spread via network file shares and opens a system back door so attackers can gain control of infected computers.
As of Monday morning, LovGate-C was coming on strong in Taiwan, Australia, France and Japan, according to Tokyo-based antivirus software vendor Trend Micro Inc. LovGate-C is the third variant of the worm but the first to make much progress, said Mikko Hypponen, manager of antivirus research for F-Secure of Finland.
It appears the writer has been trying out different variations. The first two variants, which appeared last week, didn't spread much. LovGate-C appeared around 1 a.m. EST Monday. A fourth variant surfaced around 8 a.m. EST Monday, Hypponen said.
As of 10 a.m. EST today, e-mail scanning outsourcer MessageLabs had intercepted 2,855 copies of LovGate-C, making it the fifth most prevalent worm in the preceding 24 hours, according to the company's records.
After infecting a system, LovGate-C replies to all messages in the user's Microsoft Outlook inbox. It fashions the messages so they appear to be auto-replies. In many cases, the messages would look pretty strange because the body text is set up to appear as if it comes from an e-mail service like MSN, AOL or Yahoo, said Chris Wraight, technology consultant at antivirus vendor Sophos.
So the message would look like this, if the message in the inbox is from a Yahoo mail account:
YAHOO.COM Mail auto-reply:
' I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! '
Get your FREE YAHOO.COM Mail now
Unlike other worms that use the mail servers of infected users to spread, LovGate-C actually spreads using an open e-mail relay in China that is popular with spammers, Hypponen said. The spread of the worm would be greatly curtailed if the server's operators shut it down. Requests to them to do so have been fruitless, he said.
LovGate-C also spreads via network shares, dropping itself into shared folders. It uses one of the following file names:
Besides spreading itself, the worm also drops a backdoor program that opens up port 10168. The worm writers or other attackers can gain user-level control of the system by using the back door. Yet this probably wouldn't affect users who are behind a firewall, Hypponen said.
Preventing infection is not difficult. Blocking executables would prevent infection from e-mail messages. Making sure network shares are protected is also critical. Companies can also screen for the specific file names it uses. Being a careful e-mail reader is also a good defense. The author of LovGate-C made a classic worm-writer error. The message accompanying the worm has a telltale grammatical error ("a look to the attachment"), Wraight said.
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Worms off to a fast start in 2003"
- FEEDBACK: Is your company blocking executables and filtering content?
Send your thoughts to News Writer Edward Hurley.