W32.Lovgate.AB@mm


Aliases: I-Worm.LovGate.ac, W32.Lovgate.W@mm, W32/Lovgate-AB, W32/Lovgate.ab@MM!zip
Variants: LoveGate.AL Worm, Win32.HLLM.Lovgate.8, Win32.Lovgate.AF, WORM_LOVGATE.AB

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: North and South America, Australia, Asia
Removal: Easy
Platform: W32
Discovered: 07 Jul 2004
Damage: Low

Characteristics: This Worm is equipped with a backdoor component which can be used by the malicious author to remotely control the compromised machine. The W32.Lovgate.AB@mm will create a shared folder in the victimized computer system which usually carries the name MEDIA. It will illegally stop all processes identified with security and protection programs. Using its own Simple Mail Transfer Protocol engine, it sends out spiked email messages or replies to messages found in the user's account.

More details about W32.Lovgate.AB@mm

This mass mailing Worm sends out email messages that have file attachments that make use of the ZIP, RAR, COM, SCR, EXE, or PIF file extensions. Unprotected network shares can also be exploited by the W32.Lovgate.AB@mm to spread its infection to other computer systems. Vulnerabilities associated with the DCOM RPC service of the operating system can also be exploited by this malware. The W32.Lovgate.AB@mm takes advantage of the service which uses the TCP port 135. The file traces that are extracted by this malware into the infected computer system can be found in the directory folder location of the operating system files. File traces associated with the W32.Lovgate.AB@mm malware makes use of the executable and Dynamic Link Library file extensions.

Aside from the DLL and EXE file formats, this malware also generates some non-viral text files also in the same directory folder. The W32.Lovgate.AB@mm will create an information file in the root folder of every drive attached to the infected computer system except for optical media drives. It will also drop an executable copy of itself into the same location. This routine is done by the W32.Lovgate.AB@mm malware to automatically spread its infection once the drive is accessed by unsuspecting computer users. The W32.Lovgate.AB@mm creates an unsecured backdoor on the compromised machine using a random communication port.