Lovgate.C Worm Crawls Across Web

Antivirus vendors are warning of a worm with high damage potential spreading across the Internet, with initial outbreaks Monday in Europe and Asia.

The Lovgate.C worm, a variant of an earlier worm with the same name, propagates itself by replying to e-mail in a user's in-box with an attachment containing the bad code, according to Trend Micro, among the first to release alerts about the pest. The worm then installs a backdoor port that allows a remote user to access and modify files on an infected user's system.

The self-replicating worm spreads through network shared folders and subfolders, as well as through the traditional method of an unsuspecting user's clicking on an e-mail attachment.

Examples of Attack

The worm is primarily affecting users of Microsoft Outlook and Outlook Express e-mail programs. It can propagate itself through Outlook e-mail, but recipients may be users of any e-mail program.

Trend Micro representatives say the virus disguises itself as legitimate e-mail by replying to an existing e-mail message in your in-box, not simply by drawing on addresses in your address box.

The company provided an example of a legitimate e-mail message sent to an infected user, concerning something business related, that is answered by the worm with the message, "I'll try to respond as soon as possible. Take a look to [sic] the attachment and send me your opinion!" Users will often click on this attachment, since it appears to come from a person they know, Trend Micro said.

Clicking on the attachment sends the malicious code into several executable files on a user's system. It resides in a PC's system folder under any of several names, including WinRpcsrv.e, syshelp.exe, winrpc.exe, WinGate.exe, and rpcsrv.exe, according to Trend Micro.

Security tools vendor McAfee, a division of Network Associates, notes that the worm attaches itself to an e-mail message using one of several innocuous-sounding names, including fun.exe, images.exe, news_doc.exe, pics.exe, setup.exe, joke.exe, card.exe, and others.

Protection Available

Trend Micro and other leading vendors of antivirus programs, including Symantec and McAfee, have classified Lovgate.C as a medium-risk worm. All have updated the definitions in their antivirus products to detect and eradicate the newest worm.

TrendMicro has issued a report on the virus, along with prevention information.

Symantec, which markets Norton Antivirus, has also posted an alert for the Lovgate worm. The company says this variant has no major differences in functionality from the W32.HLLW.Lovgate@mm worm, and appears to have been recompiled with a different compiler.

McAfee, a division of Network Associates, has also posted a virus profile and updated its definition software to combat the new worm.

BitDefender has posted a free removal tool for the Lovgate family of viruses.

The worm exploits a known vulnerability, says the company, which markets security software and services. BitDefender says the worm also spreads under the name Win32.LovGate.C@mm.