Results 1 to 4 of 4

Thread: LOVEGATE_J on the rise

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    LOVEGATE_J on the rise

    This isn't a new virus but it does have a nasty back door capability. I think it's worth posting a "heads up" for that reason alone.

    Trend Micro has moved its threat level up to medium. They offer a free scanner to remove it. Also, this post has manual removal instructions below.

    --Hope this helps out

    This is from the TrendMicro site:


    Virus type: File Infector

    Destructive: No

    Aliases: WORM_LOVGATE.J

    Overall risk rating: Medium

    --------------------------------------------------------------------------------

    Reported infections: Medium

    Damage Potential: High

    Distribution Potential: High



    --------------------------------------------------------------------------------

    Description:



    This file-infecting virus propagates via shared network drives and via email.

    To spread through network shares, it searches for shared folders with read/write access in the same network and drops copies of itself into these folders using the following file names:

    100 free essays school.pif
    Age of empires 2 crack.exe
    AN-YOU-SUCK-IT.txt.pif
    Are you looking for Love.doc.exe
    autoexec.bat
    CloneCD + crack.exe
    How To Hack Websites.exe
    Mafia Trainer!!!.exe
    MoviezChannelsInstaler.exe
    MSN Password Hacker and Stealer.exe
    Panda Titanium Crack.zip.exe
    Sex_For_You_Life.JPG.pif
    SIMS FullDownloader.zip.exe
    Star Wars II Movie Full Downloader.exe
    The world of lovers.txt.exe
    Winrar + crack.exe
    It propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. It sends out email with the following format:

    From: <Infected User’s Name>
    To: <Original Sender>
    Subject: RE: <Original Subject>
    Message Body:
    '''<Infected User’s Name>' wrote:
    ====
    ><Original Body> >
    ====

    YAHOO.COM Mail auto-reply:

    If you can keep your head when all about you
    Are losing theirs and blaming it on you;
    If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
    If you can wait and not be tired by waiting,
    Or, being lied about,don't deal in lies,
    Or, being hated, don't give way to hating,
    And yet don't look too good, nor talk too wise;
    ... ... more look to the attachment.

    > Get your FREE <Original Sender’s SMTP account> account now! <

    Attachment: (Randomly selected from any of the following
    I am For u.doc.exe"
    Britney spears nude.exe.txt.exe
    joke.pif
    DSL Modem Uncapper.rar.exe
    Industry Giant II.exe
    StarWars2 - CloneAttack.rm.scr
    dreamweaver MX (crack).exe
    Shakira.zip.exe
    SETUP.EXE
    Macromedia Flash.scr
    How to Crack all gamez.exe
    Me_nude.AVI.pif
    s3msong.MP3.pif
    Deutsch BloodPatch!.exe
    Sex in Office.rm.scr
    the hardcore game-.pif

    This malware also gathers target email addresses from HTML files that it finds in the current and Windows folders and a specific registry key, and sends an email message with itself as attachment to all the said email addresses. The email message that it sends is randomly generated using any of the following subjects, message bodies and attachments:

    Subjects: (any of these)
    • Reply to this!
    • Let's Laugh
    • Last Update
    • for you
    • Great
    • Help
    • Attached one Gift for u..
    • Hi
    • Hi Dear

    Message Body: (any of these)
    • For further assistance, please contact!

    • Copy of your message, including all the headers is attached.

    • This is the last cumulative update.

    • Tiger Woods had two eagles Friday during his victory over
    Stephen Leaney. (AP Photo/Denis Poroy)

    • Send reply if you want to be official beta tester.
    This message was created automatically by mail delivery
    software (Exim).

    • It's the long-awaited film version of the Broadway hit.
    Set in the roaring 20's, this is the story of Chicago
    chorus girl Roxie Hart(Zellweger), who shoots her unfaithful
    lover (West).

    • Adult content!!! Use with parental advisory.

    • Patrick Ewing will give Knick fans something to cheer
    about Friday night.

    • Send me your comments...

    Attachment: (any of these)
    • About_Me.txt.pif
    • driver.exe
    • Doom3 Preview!!!.exe
    • enjoy.exe
    • YOU_are_FAT!.TXT.pif
    • Source.exe
    • Interesting.exe
    • README.TXT.pif
    • images.pif
    • Pics.ZIP.scr

    This malware also has backdoor capabilities. It opens ports 1092 and 20168, allowing remote users to access infected systems. After opening the said ports, it immediately sends an email notifying a remote user that the infected machine is online and accessible.

    This malware runs on Windows NT, 2000, and XP systems.

    Solution:
    ===============================================

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as PE_LOVGATE.J and WORM_LOVGATE.DLL. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

    Open Windows Task Manager. Press
    CTRL+SHIFT+ESC, and click the Processes tab.
    In the list of running programs, locate the malware file or files detected earlier.
    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    Do the same for all detected malware files in the list of running processes.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    NOTE: Terminating an instance of this malware also launches an instance of IEXPLORE.EXE. Terminate all other malware instances first before terminating IEXPLORE.EXE.

    Addressing Registry Shell Spawning

    Registry shell spawning executes the malware when a user tries to run a .TXT or .EXE or file. The following procedures should restore the registry to its original settings.

    Click Start>Run
    In the Open input box, type:
    command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
    Press Enter.
    In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open>command
    In the right panel, locate the registry entry:
    Default
    Check whether its value data (right most column) is the path and file name of the malware file:
    "winexe.exe %1"
    If the value data is the malware file, right-click Default and select Modify to change its value.
    In the Value data input box, delete the existing value and type the default value:
    "%1"%*
    Click OK.
    Again in the left panel, double-click the following:
    HKEY_CLASSES_ROOT>txtfile>shell>open>command
    In the right panel, locate the registry entry:
    Default
    Check whether its data (in the rightmost column) is the path and file name of the malware file:
    "winrpc.exe %1"
    If the data is the malware file, right-click Default and select Modify to change its value.
    In the Value data input box, delete the existing value and type the default value: %SysDir%\NOTEPAD.EXE %1
    Click OK.
    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entries:
    WinHelp = "C:\WINNT\System32\WinHelp.exe"
    WinGate initialize = “C:\WINNT\System32\WinGate.exe –remoteshell”
    Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
    Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
    CurentVersion>Windows
    In the right panel, locate and delete the entry:
    Run = ”RAVMOND.EXE”
    Close Registry Editor.
    Click Start>Run, then type:
    command /c del regedit.com
    Disabling Malware Service

    Restart your machine to terminate the malware service.
    Open Registry Editor.
    To do this, click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
    Microsoft NetWork FireWall Services
    Still in the left panel, delete the subkey:
    Microsoft NetWork FireWall Services
    Close Registry Editor.
    Additional Windows ME/XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and clean all files detected as PE_LOVGATE.J. Delete all files detected as WORM_LOVGATE.DLL To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Hmm Symantec Just listed their assesment of J as a Cat 2

    Info Here

    Cheers..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    LOL @ PPL opening:

    How to Crack all gamez.exe
    How To Hack Websites.exe
    MoviezChannelsInstaler.exe
    MSN Password Hacker and Stealer.exe
    Panda Titanium Crack.zip.exe

    or

    DSL Modem Uncapper.rar.exe

    LMFAO

    this is one of those "Dumb ppl" viruses
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    ** Gore Virus**

    hi this post is a leet virii. Please Read and do the following:

    Send this to all your friends and everyone in your contact list. After you have done this please delete everything on your HD.
    _______________________________________________________________
    i know i know but i couldnt resist lol.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •