PE_LOVGATE.GEN
W32/Lovgate.l@M (McAfee), W32.HLLW.Lovgate.G (ESET), W32/Lovgate.M (Panda)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Varies
EXE
05 Mar 2009
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This file infector drops the following files:
- %User Temp%\~.tmp.dll
- %System%\reg678.dll
- %System%\Task688.dll
- %System%\win32vxd.dll
- %System%\111.dll
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- %System%\WinDriver.exe
- %System%\winexe.exe
- %System%\WinGate.exe
- %System%\WinHelp.exe
- %System%\IEXPLORE.exe
- %System%\RAVMOND.exe
- %System%\kernel66.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This file infector registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ll_reg
ImagePath = "Rundll32.exe Task688.dll ondll_server "
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
run = "RAVMOND.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinHelp = "%System%\WinHelp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinGate initialize = "%System%\WinGate.exe -remoteshell"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Program In Windows = "%System%\IEXPLORE.EXE"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ll_reg
Other System Modifications
This file infector modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile\shell\open\
command
(Default) = "%System%\winexe.exe "%1" %*"
(Note: The default value data of the said registry entry is ""%1" %*".)