[email protected]

Aliases: I-Worm.LovGate.ac, [email protected], W32/Lovgate-AB, W32/[email protected]!zip
Variants: LoveGate.AL Worm, Win32.HLLM.Lovgate.8, Win32.Lovgate.AF, WORM_LOVGATE.AB

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: North and South America, Australia, Asia
Removal: Easy
Platform: W32
Discovered: 07 Jul 2004
Damage: Low

Characteristics: This Worm is equipped with a backdoor component which can be used by the malicious author to remotely control the compromised machine. The [email protected] will create a shared folder in the victimized computer system which usually carries the name MEDIA. It will illegally stop all processes identified with security and protection programs. Using its own Simple Mail Transfer Protocol engine, it sends out spiked email messages or replies to messages found in the user's account.

More details about [email protected]

This mass mailing Worm sends out email messages that have file attachments that make use of the ZIP, RAR, COM, SCR, EXE, or PIF file extensions. Unprotected network shares can also be exploited by the [email protected] to spread its infection to other computer systems. Vulnerabilities associated with the DCOM RPC service of the operating system can also be exploited by this malware. The [email protected] takes advantage of the service which uses the TCP port 135. The file traces that are extracted by this malware into the infected computer system can be found in the directory folder location of the operating system files. File traces associated with the [email protected] malware makes use of the executable and Dynamic Link Library file extensions.

Aside from the DLL and EXE file formats, this malware also generates some non-viral text files also in the same directory folder. The [email protected] will create an information file in the root folder of every drive attached to the infected computer system except for optical media drives. It will also drop an executable copy of itself into the same location. This routine is done by the [email protected] malware to automatically spread its infection once the drive is accessed by unsuspecting computer users. The [email protected] creates an unsecured backdoor on the compromised machine using a random communication port.