The Web    Google
8/6: Lovgate-F a Mass-Mailing Worm

8/6: Lovgate-F a Mass-Mailing Worm
August 6, 2004

W32/Lovgate-F is a mass mailing and network worm. When started the worm copies itself to the root folder as COMMAND.EXE, to the Windows folder as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE, kernel66.dll (hidden) and RAVMOND.exe.

W32/Lovgate-F also creates a file AUTORUN.INF in the root folder and msjdbc11.dll, MSSIGN30.DLL and ODBC16.dll in the Windows system folder (which are detected by Sophos as W32/Lovgate-V).

This worm may also drop itself into the Windows system folder using a random name as well as two FTP server components, SPOLLSV.EXE and NETMEETING.EXE.

In order to auto-start the worm sets the following registry entries:
Hardware Profile = C:\\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Program In Windows = C:\\IEXPLORE.EXE
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
Shell Extension = C:\\spollsv.exe
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = C:\\realsched.exe
COM++ System = suchost.exe
SystemTra = C:\\SysTra.EXE
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe

A new INI file named TWAIN_32.DLL may be created in the Windows folder that will contain the following parameter in the Windows section:


More information is at Sophos page.

  • 11/4: Rbot-OX Worm Has IRC Functions
  • 'Critical' Office 2003 Patch Released
  • Sophos Small-Business Suite Fights Viruses, Spam
  • Sophos Small-Business Suite Fights Viruses, Spam
  • 9/8: Rbot-IL Spreads To Remote Shares
  • Application Insecurity --- Who is at Fault?
  • 2/3: Rbot-SQ Worm Has Backdoor Abilities
  • Security Experts On Alert for Large-Scale Hacker Assault
  • The Backup Conundrum: More Data in Less Time, Part 2
  • 5/10: Mydoom-BQ a Mass-Mailing Worm
  • 3/21: Sumon-C an IM and P2P Worm
  • Security Camera Product