W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks. W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.
The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll, which provide unauthorized remote access to the computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM.
In order to run automatically when Windows starts up W32/Lovgate-V creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra = \SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe
More information is at Sophos page.
7/21: Lovgate-V Worm Provides Remote Access
