8/6: Lovgate-F a Mass-Mailing Worm
August 6, 2004

W32/Lovgate-F is a mass mailing and network worm. When started the worm copies itself to the root folder as COMMAND.EXE, to the Windows folder as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE, kernel66.dll (hidden) and RAVMOND.exe.

W32/Lovgate-F also creates a file AUTORUN.INF in the root folder and msjdbc11.dll, MSSIGN30.DLL and ODBC16.dll in the Windows system folder (which are detected by Sophos as W32/Lovgate-V).

This worm may also drop itself into the Windows system folder using a random name as well as two FTP server components, SPOLLSV.EXE and NETMEETING.EXE.

In order to auto-start the worm sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = C:\\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Program In Windows = C:\\IEXPLORE.EXE
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
Shell Extension = C:\\spollsv.exe
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = C:\\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\runServices\
COM++ System = suchost.exe
SystemTra = C:\\SysTra.EXE
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe

A new INI file named TWAIN_32.DLL may be created in the Windows folder that will contain the following parameter in the Windows section:

run=RAVMOND.exe

More information is at Sophos page.