**Heads-Up** Lovegate-Ixas-Tang
Results 1 to 6 of 6

Thread: **Heads-Up** Lovegate-Ixas-Tang

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    **Heads-Up** Lovegate-Ixas-Tang

    Hi Guys,

    Here are todays newest fast spreaders..

    more details via links provided..

    Cheers

    first found Here at Symantec

    W32.HLLW.Tang@mm is a mass mailing worm that attempts to disguise itself as a file, which Windows does not recognize. The worm uses the icon of an unregistered file type to perform this.

    W32.HLLW.Tang@mm emails itself to all the contacts in the Windows Address Book. It also attempts to spread itself through the file-sharing networks, IRC, Microsoft Word Documents, Microsoft Excel Spreadsheets and across mapped drives.

    The worm is written in Microsoft Visual Basic (VB) and is compressed with UPX. The VB run-time libraries must be installed for the worm to be executed.


    Also Known As: W32/Gant@MM [McAfee], I-Worm.Tanger [KAV]
    Type: Virus, Worm
    Infection Length: 21,504 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
    second
    found Also at Symantec

    W32.Ixas@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in Windows Address Book.

    The email has the following characteristics:

    From: <random letters>@delfi.lt
    Subject: The subject can be one of the following,

    Gift for you
    Urgent NEWs
    EBAY Update
    Antivirus Update
    Urgent Windows UPDATE
    Hi, look this attcahment
    Hello, please wisit this nice site
    Attachment: Attachment has a random file name.

    The worm also sends itself to the email addresses it finds from the incoming emails. The email it creates for this set of email addresses has the following characteristics:

    Subject: Re:
    Attachment: Attachment has a random file name.
    Message:
    I reply as soon as possible to your email
    You wrote:----------

    Several variants of this threat have been found. All the variants are written in the Microsoft C++ programming language. ASPack packs some of the variants.


    Also Known As: WORM_IXAS.A [Trend], W32/Ixas@MM [McAfee], W32/GvoWFI.A@mm [F-Prot]
    Type: Worm
    Infection Length: 112,128 bytes, 114,688 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux
    and third..

    Also from Symantec

    W32.HLLW.Lovgate@mm is a mass mailing worm that attempts to email itself to all the email addresses that it finds in the files with the file extension that starts with "ht" (for example, all the .htm or .hta files). The subject and attachment of the incoming email will be chosen from a predetermined list.

    W32.HLLW.Lovgate@mm also attempts to copy itself to all the computers on a local network, and then infect these computers. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 10168.

    If the infected computer is running Windows NT, 2000, or XP, the worm will attempt to disguise itself as the normal Windows process, "LSASS.EXE."

    W32.HLLW.Lovgate@mm is written in the C++ programming language and is compressed with ASPack.




    Type: Worm
    Infection Length: 77,312 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
    When dealing with "Network Aware" Worms/Virii these little buggers can, and do, download updates of themselves as well as spread both over the lan and internet.. Once found on a system that is a part of a network first disconnect it from the network and carefully remove the infection.. DON'T TRUST ANY VIRUS REMOVAL TOOLS 100%.. Use your knowledge of the system to spot "inconsistant" file names and types (a bit hard if you work with different O/s and system configs)..

    Don't expect the AV companies description of the virus and its files and registry keys to be 100% consistant with what you find..

    NEVER Share the Root (C:\) of the HDD Only the Folders that are needed and certainly never "Windows" and "Program Files"... I have seen comments that Netbios be disabled completly , and all file sharing via FTP..
    Oh and "Reasonable password" placed on access for the file shares..

    Why do I say all this.. yep I got caught today.. strange network and a triple infection.. QAZ, Funlove and Opasrv.i/k/n (yes 3 versions.. n gave me trouble)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Update

    There is a update for lovgate.. found Here


    W32.HLLW.Lovgate.B@mm is a mass mailing worm and a variant of W32.HLLW.Lovgate@mm. W32.HLLW.Lovgate.B@mm drops a password-stealing Trojan. The outgoing email contains an attachment with a .exe file extension.



    Also Known As: W32/Lovgate.worm [McAfee], WORM_LOVGATE.A [Trend], I-Worm.Supnot [KAV]
    Type: Worm
    Infection Length: 84,992 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Location
    Texas!
    Posts
    270
    Thanks for the info!
    [gloworange]DISLEX[/gloworange]

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    OK Guys,

    This one is getting a little more wide spread..
    Now with a C version.. and upgraded threat assesment

    W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionalities.

    To spread itself, the worm attempts to reply to incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this in an effort to emulate the auto-reply function of the email client, as well as to lure those who sent the original messages to the infected computer into opening the returned messages.

    There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This particular variant appears to have been recompiled with a different compiler, and then packed with the same run-time compression utility as W32.HLLW.Lovgate@mm.

    NOTE: Definitions dated February 23, 2003 detect this threat as W32.HLLW.Lovgate@mm. Definitions dated February 24, 2003 or later will detect this threat as W32.HLLW.Lovgate.C@mm.
    Check here for info..Symantec

    So be prepared..

    Also check this thread Here

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    This Info posted from Symantec

    W32.HLLW.Lovgate.D@mm is a variant of W32.HLLW.Lovgate@mm. This mass-mailing worm attempts to email itself to all the email addresses that it finds in the files with file extensions beginning with "ht" (for example, .htm and .hta).

    The subject and attachment of the incoming email are chosen from a predetermined list. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on TCP port 10,168.

    W32.HLLW.Lovgate.D@mmworm can also spread across the network shares. If the infected computer runs Windows NT, 2000, or XP, the worm attempts to disguise itself as the normal Windows process, Lsass.exe.

    This threat is written in the Microsoft C++ programming language and is compressed with ASPack.



    Also Known As: I-Worm.Supnot.d [KAV], WORM_LOVGATE.D [Trend]
    Type: Worm
    Infection Length: 41,984 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux
    Fortunatly,, this variant isn't so previlent in the wild...

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Lovegate update

    Ok Lovegate has a new varient..

    Check Here for the info on the latest from Symantec (Norton)

    Sophos has it named differently here

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •