Date: 25 February 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.01 -- AUSCERT ALERT
W32/Lovgate variant - W32/Lovgate.c@M
25 February 2003
===========================================================================
AusCERT Alert Summary
---------------------
There is a new variant of the mass-mailing W32/Lovgate virus known
as W32/Lovgate.c. Lovgate.c possesses a mass-mailing capability,
backdoor functionality and has the ability to propagate by dropping
copies of itself in network shares.
Lovgate.c possesses a SMTP server with which it can send email
independently of the infected hosts own mail client. Lovgate.c
distributes infected email with the following text in the body:
I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
Upon infection, Lovgate.c opens a backdoor listening on port 10168,
potentionally allowing remote access to the affected system. It
then attempts to send notification of the successful infection to
either of the following email addresses:
54love@fescomail.net
hacker117@163.com
Information about W32/Lovgate.c:
http://www.ocipep.gc.ca/opsprods/advisories/AV03-011_e.asp
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE.C
http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html
http://www.sophos.co.uk/virusinfo/analyses/w32lovgateb.html
http://www.messagelabs.co.uk/viruseye/
http://vil.nai.com/vil/content/v_100072.htm
Solution
--------
When possible, upgrade all anti-virus software to use the latest
definition files as soon as they become available.
Ensure that all network file shares are disabled unless necessary
and if possible ensure that active shares are password protected.
Disallow traffic for ports 137, 139 and 10168 at external
firewall/s and monitor for any unusual increase in internal traffic
to these ports that may indicate virus activity.
AusCERT advises members to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPls1Kih9+71yA2DNAQGXJQP+PRcfGarjmRvs7o2xrbRC7ESLxzGzilKc
0nYrE9rcY5dq5ZXBtWNJnVPbe8l/bR8iQCp58mVZhEQdB3CH2RGESs+quAYMENwW
uHkwj2tF6QNYhbpiEjZID6tq6gSFfCzq55MMpm0M/jOm0UHzwubiXdlSo4vBdZpx
oeX9+/qaKCM=
=TBi/
-----END PGP SIGNATURE-----
|