justin
Joined: 26 May 2004
Posts: 649
Offline
|
 Posted:
Mon Jul 05, 2004 7:33 pm Post subject:
|
|
|
I have some information collected about this worm from f-secure
Lovgate.AC worm was found on May 17th, 2004. The worm spreads in e-mails local and peer-to-peer networks. Additionally the worm drops a backdoor to an infected system. The backdoor listens on port 30128.
When the worm's file is run, it installs itself to system. First it copies itself as RAVMOND.EXE to Windows System directory and then modifies WIN.INI file to run the worm's executable every time Windows starts. This does not happen in NT-based systems as WIN.INI is not used there.
Then the worm waits for 30 seconds and starts the thread that periodically copies the worm's file as IEXPLORE.EXE and KERNEL66.DLL (with hidden, system and read-only attribute) to Windows System folder.
Additionally the worm starts a thread that copies itself as SYSTRA.EXE file to Windows folder. And on remotely infected computers the worm copies itself as WinHelp.EXE to Windows System folder and creates a separate registry key for that file.
You can’t manually disinfect it, you can get solution from F-secure |
|
FAQ
Search
Register
Profile
Log in to check your private messages
Log in
