The Web    www.100share.com    Google
 
Virus Update: Lovgate Worm Still Out
 

Virus Update: Lovgate Worm Still Out
February 21, 2003

Several vendors were still issuing alerts Thursday for the W32/Lovgate-A worm that appeared earlier this week.

W32/Lovgate-A is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send notification email messages to the attacker. The worm spreads across the local network by copying itself into folders with several names.

For information on the names visit this Sophos Web page.

According to Panda Software, Lovgate-A opens a TCP port (usually 10168). These files will be accessible from the other computers in the same local network as the infected computer and if they are run, these computers will also be infected.

Read more from Panda Software here.

Apart from the mass mailing functionality, Lovgate-A can spread through windows shares and steal users' passwords, according to F-Secure. Listening in on the port 10168 allows the attacker to perform different actions on the infected machine. It sends the private information to the following addresses:

hello_dll@163.com
hacker117@163.com

The worm has an internal SMTP engine and connects to the host smtp.163.com to deliver its messages, according to F-Secure. The worm's executable is packed with ASPack. It copies itself to shares and shares' subfolders with several names.

View them on this F-Secure page.

Kingpdt Overwrites Files and Replaces the Content

The Kingpdt a worm spreads rapidly to other computers via e-mail, IRC chat channels and peer-to-peer file-sharing programs. Kingpdt overwrites the content of all the files it finds with the following extensions: mp3, mp2, mpg, mpeg, .mpe, avi, mov, dir, jpg, jpeg, jpe, gif, png, tif, tiff, pic, art and url. It replaces the content of these files with the virus code and changes their extension to VBS, rendering these files unusable.

Kingdpt also deletes the original content of the files it finds in the shared directories of peer-to-peer file-sharing programs and replaces it with VBS and VBE (compressed Visual Basic file) virus code.

Read more here.

Backdoor.Khaos Trojan Easy to Uninstall

Backdoor.Khaos is a backdoor Trojan that gives an attacker unauthorized access to a computer. It usually arrives as the file Server2.exe. By default it opens port 6969 for listening.

Backdoor.Khaos does not automatically install itself, as some other program usually installs it. As a result, even if Backdoor.Khaos is installed, in most cases, it will no longer run after the computer is restarted.

Backdoor.Khaos is written in Microsoft Visual Basic 5 and it requires that the Visual Basic run-time libraries be installed on a computer in order for it to execute.

Check this Symantec site for more information.

Compiled by Esther Shein.

 
  • Lawmakers: Spam Bill Is a Turkey
  • 6/14: Spybot-CO Spreads via KaZaA Network
  • Virus Alert: Optix.Pro Trojan Rated Low Threat
  • 10/12: Forbot-AZ Worm Has Backdoor
  • AntiOnline Security Spotlight: CD-Wrecker
  • 11/16: Agobot-NX an IRC Trojan & Worm
  • Netsky-D Ranked as High Risk
  • 12/10: Agobot-NX an IRC Trojan & Worm
  • SunGard to Spin Off Disaster Recovery Biz
  • Trolling For Anti-Phishing Laws
  • Microsoft Battles Debugger Flaw, SQL Worm
  • Security Camera Price