The Web    Google
8/6: Lovgate-F a Mass-Mailing Worm

8/6: Lovgate-F a Mass-Mailing Worm
August 6, 2004

W32/Lovgate-F is a mass mailing and network worm. When started the worm copies itself to the root folder as COMMAND.EXE, to the Windows folder as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE, kernel66.dll (hidden) and RAVMOND.exe.

W32/Lovgate-F also creates a file AUTORUN.INF in the root folder and msjdbc11.dll, MSSIGN30.DLL and ODBC16.dll in the Windows system folder (which are detected by Sophos as W32/Lovgate-V).

This worm may also drop itself into the Windows system folder using a random name as well as two FTP server components, SPOLLSV.EXE and NETMEETING.EXE.

In order to auto-start the worm sets the following registry entries:
Hardware Profile = C:\\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Program In Windows = C:\\IEXPLORE.EXE
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
Shell Extension = C:\\spollsv.exe
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = C:\\realsched.exe
COM++ System = suchost.exe
SystemTra = C:\\SysTra.EXE
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe

A new INI file named TWAIN_32.DLL may be created in the Windows folder that will contain the following parameter in the Windows section:


More information is at Sophos page.

  • ChoicePoint Stops Selling Some of Your Info
  • A Jump on Security Advisories (For a Fee)
  • 1/5: Rbot-SQ Worm Has Backdoor Abilities
  • Network Security Management Market Heats Up
  • 5/2: Sober-S Worm a 'Medium Threat'
  • 12/30: Troj/Agent-FO Downloads Files
  • ISPs Band Together Against Spam
  • Asita, RapidStream offer up high-capacity VPN wares
  • 2/15: Randex-COX a Network-Aware Worm
  • MIT Warns of Kerberos 5 Flaws
  • 12/9: Setclo-A Worm Carries Executable
  • Discussion on Security Camera