Virus Warning issued for  Worm/Lovegate.B ]

Details:

Name: Worm/Lovegate.B
Alias: Worm_Lovgate.B
Type: Internet Worm
Discovered: February 24, 2003
ITW: Yes
Platform: Microsoft Windows 95/98/Me/NT/2000/XP

Description:

Worm/Lovegate.B is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book. It also contains backdoor functionalities.

If executed, the worm copies itself in the \windows\%system% directory under the filenames "syshelp.exe", "winrpc.exe", "WinGate.exe", "WinRpcsrv.exe", and "rpcsrv.exe".

Additionally, the C:\Windows\win.ini file also gets modified:

Run=
Run=rpcsvr.exe

So that it gets run each time a user restart their computer the following registry keys get added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
syshelp = "C:\windows\%system%\syshelp.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
WinGate initialize = "C:\windows\%system%\WinGate.exe -remoteshell"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"

Additionally, the following key is also created so that the worm will get run each time a file with the extansion .txt is opened.

HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = "winrpc.exe %1"

Worm/Lovegate.B also contains backdoor functions. It drops the files, "ily.dll", "task.dll", "reg.dll", and "1.dll" into the \windows\%system% directory. After registering the services, it opens TCP/IP port 10618. Once the port is opened an email is sent off to various email addresses alerting the owners of these email addresses that the machine has been compromised and is vulnerable for command execution.