The Web    Google
Virus Update: Lovgate Worm Still Out

Virus Update: Lovgate Worm Still Out
February 21, 2003

Several vendors were still issuing alerts Thursday for the W32/Lovgate-A worm that appeared earlier this week.

W32/Lovgate-A is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send notification email messages to the attacker. The worm spreads across the local network by copying itself into folders with several names.

For information on the names visit this Sophos Web page.

According to Panda Software, Lovgate-A opens a TCP port (usually 10168). These files will be accessible from the other computers in the same local network as the infected computer and if they are run, these computers will also be infected.

Read more from Panda Software here.

Apart from the mass mailing functionality, Lovgate-A can spread through windows shares and steal users' passwords, according to F-Secure. Listening in on the port 10168 allows the attacker to perform different actions on the infected machine. It sends the private information to the following addresses:

The worm has an internal SMTP engine and connects to the host to deliver its messages, according to F-Secure. The worm's executable is packed with ASPack. It copies itself to shares and shares' subfolders with several names.

View them on this F-Secure page.

Kingpdt Overwrites Files and Replaces the Content

The Kingpdt a worm spreads rapidly to other computers via e-mail, IRC chat channels and peer-to-peer file-sharing programs. Kingpdt overwrites the content of all the files it finds with the following extensions: mp3, mp2, mpg, mpeg, .mpe, avi, mov, dir, jpg, jpeg, jpe, gif, png, tif, tiff, pic, art and url. It replaces the content of these files with the virus code and changes their extension to VBS, rendering these files unusable.

Kingdpt also deletes the original content of the files it finds in the shared directories of peer-to-peer file-sharing programs and replaces it with VBS and VBE (compressed Visual Basic file) virus code.

Read more here.

Backdoor.Khaos Trojan Easy to Uninstall

Backdoor.Khaos is a backdoor Trojan that gives an attacker unauthorized access to a computer. It usually arrives as the file Server2.exe. By default it opens port 6969 for listening.

Backdoor.Khaos does not automatically install itself, as some other program usually installs it. As a result, even if Backdoor.Khaos is installed, in most cases, it will no longer run after the computer is restarted.

Backdoor.Khaos is written in Microsoft Visual Basic 5 and it requires that the Visual Basic run-time libraries be installed on a computer in order for it to execute.

Check this Symantec site for more information.

Compiled by Esther Shein.

  • Group Revises Anti-Piracy License Terms
  • AntiOnline Spotlight: Trojan Force
  • 4/8: Imabut-A Trojan a Floppy Disk Image
  • Look Out For 3-Headed Plexus Worm
  • 6/10: Agobot-JT Allows Unauthorized Access
  • 6/9: Downloader.GK a 'High Threat'
  • AppRadar Supports Intrusion Detection for Enterprise Databases
  • Platform Logic Wraps OS, Apps With Security Protections
  • 6/14: Dansh.worm!irc an IRC Bot
  • A Jump on Security Advisories (For a Fee)
  • 11/1: Fakepatch-A an Elf Executable
  • Discussion on Security Camera