**Heads-Up** Lovegate-Ixas-Tang

[Und3ertak3r]

Hi Guys,

Here are todays newest fast spreaders..

more details via links provided..

Cheers

first found Here at Symantec

W32.HLLW.Tang@mm is a mass mailing worm that attempts to disguise itself as a file, which Windows does not recognize. The worm uses the icon of an unregistered file type to perform this.

W32.HLLW.Tang@mm emails itself to all the contacts in the Windows Address Book. It also attempts to spread itself through the file-sharing networks, IRC, Microsoft Word Documents, Microsoft Excel Spreadsheets and across mapped drives.

The worm is written in Microsoft Visual Basic (VB) and is compressed with UPX. The VB run-time libraries must be installed for the worm to be executed.


Also Known As: W32/Gant@MM [McAfee], I-Worm.Tanger [KAV]
Type: Virus, Worm
Infection Length: 21,504 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

second
found Also at Symantec

W32.Ixas@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in Windows Address Book.

The email has the following characteristics:

From: <random letters>@delfi.lt
Subject: The subject can be one of the following,

Gift for you
Urgent NEWs
EBAY Update
Antivirus Update
Urgent Windows UPDATE
Hi, look this attcahment
Hello, please wisit this nice site
Attachment: Attachment has a random file name.

The worm also sends itself to the email addresses it finds from the incoming emails. The email it creates for this set of email addresses has the following characteristics:

Subject: Re:
Attachment: Attachment has a random file name.
Message:
I reply as soon as possible to your email
You wrote:----------

Several variants of this threat have been found. All the variants are written in the Microsoft C++ programming language. ASPack packs some of the variants.


Also Known As: WORM_IXAS.A [Trend], W32/Ixas@MM [McAfee], W32/GvoWFI.A@mm [F-Prot]
Type: Worm
Infection Length: 112,128 bytes, 114,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

and third..

Also from Symantec

W32.HLLW.Lovgate@mm is a mass mailing worm that attempts to email itself to all the email addresses that it finds in the files with the file extension that starts with "ht" (for example, all the .htm or .hta files). The subject and attachment of the incoming email will be chosen from a predetermined list.

W32.HLLW.Lovgate@mm also attempts to copy itself to all the computers on a local network, and then infect these computers. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 10168.

If the infected computer is running Windows NT, 2000, or XP, the worm will attempt to disguise itself as the normal Windows process, "LSASS.EXE."

W32.HLLW.Lovgate@mm is written in the C++ programming language and is compressed with ASPack.




Type: Worm
Infection Length: 77,312 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

When dealing with "Network Aware" Worms/Virii these little buggers can, and do, download updates of themselves as well as spread both over the lan and internet.. Once found on a system that is a part of a network first disconnect it from the network and carefully remove the infection.. DON'T TRUST ANY VIRUS REMOVAL TOOLS 100%.. Use your knowledge of the system to spot "inconsistant" file names and types (a bit hard if you work with different O/s and system configs)..

Don't expect the AV companies description of the virus and its files and registry keys to be 100% consistant with what you find..

NEVER Share the Root (C:\) of the HDD Only the Folders that are needed and certainly never "Windows" and "Program Files"... I have seen comments that Netbios be disabled completly , and all file sharing via FTP..
Oh and "Reasonable password" placed on access for the file shares..

Why do I say all this.. yep I got caught today.. strange network and a triple infection.. QAZ, Funlove and Opasrv.i/k/n (yes 3 versions.. n gave me trouble)

Cheers

[Und3ertak3r]

There is a update for lovgate.. found Here

W32.HLLW.Lovgate.B@mm is a mass mailing worm and a variant of W32.HLLW.Lovgate@mm. W32.HLLW.Lovgate.B@mm drops a password-stealing Trojan. The outgoing email contains an attachment with a .exe file extension.



Also Known As: W32/Lovgate.worm [McAfee], WORM_LOVGATE.A [Trend], I-Worm.Supnot [KAV]
Type: Worm
Infection Length: 84,992 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

Cheers

[DISLEX]

Thanks for the info!

[Und3ertak3r]

OK Guys,

This one is getting a little more wide spread..
Now with a C version.. and upgraded threat assesment

W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionalities.

To spread itself, the worm attempts to reply to incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this in an effort to emulate the auto-reply function of the email client, as well as to lure those who sent the original messages to the infected computer into opening the returned messages.

There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This particular variant appears to have been recompiled with a different compiler, and then packed with the same run-time compression utility as W32.HLLW.Lovgate@mm.

NOTE: Definitions dated February 23, 2003 detect this threat as W32.HLLW.Lovgate@mm. Definitions dated February 24, 2003 or later will detect this threat as W32.HLLW.Lovgate.C@mm.

Check here for info..Symantec

So be prepared..

Also check this thread Here

Cheers

[Und3ertak3r]

This Info posted from Symantec

W32.HLLW.Lovgate.D@mm is a variant of W32.HLLW.Lovgate@mm. This mass-mailing worm attempts to email itself to all the email addresses that it finds in the files with file extensions beginning with "ht" (for example, .htm and .hta).

The subject and attachment of the incoming email are chosen from a predetermined list. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on TCP port 10,168.

W32.HLLW.Lovgate.D@mmworm can also spread across the network shares. If the infected computer runs Windows NT, 2000, or XP, the worm attempts to disguise itself as the normal Windows process, Lsass.exe.

This threat is written in the Microsoft C++ programming language and is compressed with ASPack.



Also Known As: I-Worm.Supnot.d [KAV], WORM_LOVGATE.D [Trend]
Type: Worm
Infection Length: 41,984 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

Fortunatly,, this variant isn't so previlent in the wild...

Cheers

[Und3ertak3r]

Ok Lovegate has a new varient..

Check Here for the info on the latest from Symantec (Norton)

Sophos has it named differently here

Cheers