Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lovgate.C

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Lovgate.C has the following effects:

  • It creates a large number of copies of itself in the shared network directories and subdirectories. These files can be run by users of other computers connected to the same network as the infected computer. By doing this, these computers will also be infected.
  • If the affected computer is connected to a network, it tries to gain access to the rest of the computers in the same network in order to copy a file containing the virus code to these computers.
  • It opens a TCP port (usually 10168), leaving the affected computer vulnerable to possible remote attacks.
  • It sends confidential information from the infected computer to the virus author. To be more precise, it sends the following information to the address hacker117@163.com: machine name, user name and IP address. This e-mail contains the following text: My I-WORM-and-IPC-20168 running!

Infection strategy 

Lovgate.C creates the following files:

  • A large number of copies of itself in the shared network directories and subdirectories. These files have random names. Some of these are:
    fun.exe, humor.exe, docs.exe, s3msong.exe, midsong.exe, billgt.exe, Card.EXE, SETUP.EXE, searchURL.exe, tamagotxi.exe, hamster.exe, news_doc.exe, PsPGame.exe, joke.exe, images.exe and pics.exe.
  • SYSHELP.EXE, RPCSRV.EXE, WINRPC.EXE, WINRPCSRV.EXE and WINGATE.EXE in the Windows system directory, which are also copies of the worm.
  • ILY.DLL, TASK.DLL, REG.DLL and 1.DLL, in the Windows sytem directory. When these files are run, they act as Trojans.

Lovgate.C modifies the following file:

  • WIN.INI. By doing this, it ensures that a copy of the worm, or to be exact the RPCSRV.EXE file, will be run every time the affected computer is started.

Lovgate.C creates the following keys in the Windows Registry in order to ensure that it is run when Windows is started:

  • HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Module Call initialize RUNDLL32.EXE reg.dll ondll_reg
  • HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    syshelp \%sysdir%\ syshelp.exe
  • HKLM\Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Wingate initialize \%sysdir%\ Wingate.exe -remoteshell
    (where %sysdir% is the Windows sytem directory).

The worm also changes the following entry in the Windows Registry:

  • HKLM\ Software\ Classes\ txtfile\ shell\ open\ command\
    C:\WINDOWS\NOTEPAD.EXE %1
    It changes the value C:\WINDOWS\NOTEPAD.EXE %1 to winrpc.exe %1
    By modifying this key, it ensures that it is run every time a file, with a TXT extension is opened.

The Trojan component of Lovgate.C can activate in three different ways:

  • As part of the worm. The worm includes a Trojan component that opens a communications port.
  • As a separate file (the files with a DLL extension that the worm creates in the Windows system directory). The worm creates these files that act as Trojans when they activate.
  • In NT machines, the worm creates a process called LSASS.EXE, which acts as a Trojan.

Means of transmission 

Lovgate.C spreads through e-mail and shared network drives.

Propagation through shared network drives

Lovgate.C follows the infection routine below:

  • It creates copies of itself in shared network directories and subdirectories in the network. Even if these directories are password-protected, Lovgate.C tries to access them. It does this by entering the following commonly-used passwords:
    123, 321, 123456, 654321, guest, administrator, admin, 111111, 666666, 888888, abc, abcdef, abcdefg, 12345678 and abc123.
  • If it is validated, the virus tries to access the Windows system directory, where it creates a file called ;STG.EXE, which is copy of virus.
  • Then, Lovgate.C activates and passes itself off as the Microsoft NetWork Service FireWall program.

Propagation via e-mail

Lovgate.C sends out a large number of e-mail messages contining infected attachments. It sends these out through MAPI, using its own mail server SMTP.163.COM instead the infected user's ;server.

Lovgate.C sends the following messages:

It obtains the messages in the Inbox and notes the address and domain of each message. Then, little by little, it replies to each one with the following message:

  • Subject:
    YAHOO.COM Mail auto-reply:
  • Message:
    I'll try to reply as soon as possible.
    Take a look to the attachment and send me your opinion!
  • Attachments: One of the following:

    BILLGT.EXE, CARD.EXE, DOCS.EXE, FUN.EXE, HAMSTER.EXE, HUMOR.EXE, IMAGES.EXE, JOKE.EXE, MIDSONG.EXE, NEWS_DOC.EXE, PICS.EXE, PSPGAME.EXE, S3MSONG.EXE, SEARCHURL.EXE, SETUP.EXE or TAMAGOTXI.EXE

  • Lovgate.C looks for files with an extension that starts with HT in the directory in which the worm has been run, the Windows directory and the list of directories in the following entry in the Windows Registry:

    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal
    Then, it looks for e-mail address in the files that it finds. Finally, it sends an e-mail message containing an infected file to the addresses it finds.

In order to see the characteristics of the ten e-mail messages that Lovgate.C sends out, click here.

Further Details  

Lovgate.C is written in the programming language C++. The file that carries out the infection is 78.848 bytes in size and compressed with Aspack.