-
May 15th, 2003, 02:52 PM
#1
LOVEGATE_J on the rise
This isn't a new virus but it does have a nasty back door capability. I think it's worth posting a "heads up" for that reason alone.
Trend Micro has moved its threat level up to medium. They offer a free scanner to remove it. Also, this post has manual removal instructions below.
--Hope this helps out
This is from the TrendMicro site:
Virus type: File Infector
Destructive: No
Aliases: WORM_LOVGATE.J
Overall risk rating: Medium
--------------------------------------------------------------------------------
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
This file-infecting virus propagates via shared network drives and via email.
To spread through network shares, it searches for shared folders with read/write access in the same network and drops copies of itself into these folders using the following file names:
100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mafia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
It propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. It sends out email with the following format:
From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message Body:
'''<Infected User’s Name>' wrote:
====
><Original Body> >
====
YAHOO.COM Mail auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Original Sender’s SMTP account> account now! <
Attachment: (Randomly selected from any of the following
I am For u.doc.exe"
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
This malware also gathers target email addresses from HTML files that it finds in the current and Windows folders and a specific registry key, and sends an email message with itself as attachment to all the said email addresses. The email message that it sends is randomly generated using any of the following subjects, message bodies and attachments:
Subjects: (any of these)
• Reply to this!
• Let's Laugh
• Last Update
• for you
• Great
• Help
• Attached one Gift for u..
• Hi
• Hi Dear
Message Body: (any of these)
• For further assistance, please contact!
• Copy of your message, including all the headers is attached.
• This is the last cumulative update.
• Tiger Woods had two eagles Friday during his victory over
Stephen Leaney. (AP Photo/Denis Poroy)
• Send reply if you want to be official beta tester.
This message was created automatically by mail delivery
software (Exim).
• It's the long-awaited film version of the Broadway hit.
Set in the roaring 20's, this is the story of Chicago
chorus girl Roxie Hart(Zellweger), who shoots her unfaithful
lover (West).
• Adult content!!! Use with parental advisory.
• Patrick Ewing will give Knick fans something to cheer
about Friday night.
• Send me your comments...
Attachment: (any of these)
• About_Me.txt.pif
• driver.exe
• Doom3 Preview!!!.exe
• enjoy.exe
• YOU_are_FAT!.TXT.pif
• Source.exe
• Interesting.exe
• README.TXT.pif
• images.pif
• Pics.ZIP.scr
This malware also has backdoor capabilities. It opens ports 1092 and 20168, allowing remote users to access infected systems. After opening the said ports, it immediately sends an email notifying a remote user that the infected machine is online and accessible.
This malware runs on Windows NT, 2000, and XP systems.
Solution:
===============================================
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as PE_LOVGATE.J and WORM_LOVGATE.DLL. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
NOTE: Terminating an instance of this malware also launches an instance of IEXPLORE.EXE. Terminate all other malware instances first before terminating IEXPLORE.EXE.
Addressing Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to run a .TXT or .EXE or file. The following procedures should restore the registry to its original settings.
Click Start>Run
In the Open input box, type:
command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
Press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>exefile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its value data (right most column) is the path and file name of the malware file:
"winexe.exe %1"
If the value data is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value:
"%1"%*
Click OK.
Again in the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its data (in the rightmost column) is the path and file name of the malware file:
"winrpc.exe %1"
If the data is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value: %SysDir%\NOTEPAD.EXE %1
Click OK.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entries:
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = “C:\WINNT\System32\WinGate.exe –remoteshell”
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
In the right panel, locate and delete the entry:
Run = ”RAVMOND.EXE”
Close Registry Editor.
Click Start>Run, then type:
command /c del regedit.com
Disabling Malware Service
Restart your machine to terminate the malware service.
Open Registry Editor.
To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
Microsoft NetWork FireWall Services
Still in the left panel, delete the subkey:
Microsoft NetWork FireWall Services
Close Registry Editor.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and clean all files detected as PE_LOVGATE.J. Delete all files detected as WORM_LOVGATE.DLL To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 23rd, 2003, 11:36 AM
#2
Hmm Symantec Just listed their assesment of J as a Cat 2
Info Here
Cheers..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 23rd, 2003, 01:22 PM
#3
LOL @ PPL opening:
How to Crack all gamez.exe
How To Hack Websites.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
or
DSL Modem Uncapper.rar.exe
LMFAO
this is one of those "Dumb ppl" viruses
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
May 23rd, 2003, 01:35 PM
#4
** Gore Virus**
hi this post is a leet virii. Please Read and do the following:
Send this to all your friends and everyone in your contact list. After you have done this please delete everything on your HD.
_______________________________________________________________
i know i know but i couldnt resist lol.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|