W32/Lovgate-J

Read instructions on how to remove the W32/Lovgate-J worm.

W32/Lovgate-J is a variant of W32/Lovgate-A.

W32/Lovgate-J is a worm, a virus and backdoor Trojan. The worm spreads across the local network by copying itself into folders with the following names:

Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mafia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
100 free essays school.pif

W32/Lovgate-J also attempts to spread via email by sending itself to email addresses collected from *.HT* files. Emails sent to these addresses can have the following subject lines, message texts and attachment names in any combination:

Subject line:
1. See the attachment
2. Hi
3. Let's Laugh
4. Reply to this!

Message text:
1. Send me your comments...
2. Patrick Ewing will give Knick fans something to cheer about Friday night.
3. Copy of your message, including all the headers is attached.
4. For further assistance, please contact!

Attached file:
1. Pics.ZIP.scr
2. images.pif
3. driver.exe
4. About_Me.txt.pif

The worm also attempts to reply to emails found in the user's inbox. The worm uses the following attachment names for these emails:

Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

W32/Lovgate-J copies itself into the Windows system folder as ravmond.exe, winhelp.exe, WinGate.exe, winrpc.exe, windriver.exe, iexplore.exe and kernel66.dll and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winhelp
= "<Windows system folder>\winhelp.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize
= "<Windows system folder>\WinGate.exe -remoteshell"

HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
COM+ Event System = DRWTSN16.EXE

On Windows NT the worm drops the files ily668.dll, task688.dll, reg678.dll and win32vxd.dll into the Windows system folder. These files are also detected as W32/Lovgate-J.

W32/Lovgate-J drops DRWTSN16.EXE into the Windows folder. This component of W32/Lovgate-J is used to infect other EXE files on the local machine and on shares.

W32/Lovgate-J attemps to share the <Windows folder>\temp folder as "GAME" and drops several copies of itself into this folder with random filenames and the following double extensions:

.txt.exe
.jpg.exe
.mp3.exe
.htm.exe
.rm.exe
.avi.exe
.doc.exe
.gif.exe
.dat.exe

W32/Lovgate-J attempts to terminate certain AV and other processes.

W32/Lovgate-J is also a backdoor Trojan that provides an attacker with unauthorized access to the user's computer and can send notification email messages to the attacker.