The Web    Google
7/21: Lovgate-V Worm Provides Remote Access

7/21: Lovgate-V Worm Provides Remote Access
July 21, 2004

W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks. W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.

The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll, which provide unauthorized remote access to the computer over a network.

The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list:


The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM.

In order to run automatically when Windows starts up W32/Lovgate-V creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra = \SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe

More information is at Sophos page.

  • Soft on the Inside
  • E-mail security and your legal liability
  • ActivCard Enhances Authentication for Remote Access Over Web
  • 7/12 Atak.A Worm Low Threat but High Traffic
  • Nachi Worm Exploits Security Hole in Microsoft Windows
  • Microsoft XP SP2 Blog Watch
  • Phishing Scams Increase 1,200% in 6 Months
  • 3/25: Backdoor.Nibu-J Runs Keylogger
  • Fortinet To Deliver 3G Multifunction Security Appliance
  • 9/7: MyWife-C a Mass-Mailing Worm
  • 12/13: Janx Worm Exploits Windows Flaw
  • Security Camera Articles