The Web    Google
7/21: Lovgate-V Worm Provides Remote Access

7/21: Lovgate-V Worm Provides Remote Access
July 21, 2004

W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks. W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.

The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll, which provide unauthorized remote access to the computer over a network.

The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list:


The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM.

In order to run automatically when Windows starts up W32/Lovgate-V creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra = \SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe

More information is at Sophos page.

  • 11/11: Masteq-H Trojan Runs Silently
  • 3/28: Mytob-S Worm Exploits LSASS Flaw
  • 1/25: Sdbot-TW Worm Has Backdoor Functions
  • Home Users: IT's Cross to Bear
  • 10/20: Spybot-DF an IRC Backdoor Worm
  • House Renews Anti-Spyware Push
  • 2/28: Elitper-A Worm Uses MAPI
  • Wi-Fi Planet Toronto: Security Taking Hold
  • Senate Panel Approves Anti-Spyware Bill
  • 9/9: Trojan.Riler Installs Itself As LSP
  • Lawmakers: Spam Bill Is a Turkey
  • Security Camera Industry Information