Stinkysteve
07-09-2004, 07:01 PM
Story here:
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=22104396
New Lovegate Worms Ruin Applications
By TechWeb News
Several new variations of the Lovegate worm broke loose on the Internet this week, bringing a once-dormant threat back to center stage.
In the past seven days, four new variants of Lovegate have appeared with a confusing array of names, ranging from Lovegate.y to Lovegate.ao, depending on which anti-virus vendor you're referencing.
Lovegate, which harks back to early 2003, is a mass mailing worm that spreads by hijacking addresses from infected machines and re-mailing itself. The newest variations, however, also use other tactics to propagate, including spreading through network shares and using the year-old vulnerability in Windows exploited to great effect by MSBlast.
These newer versions, however, can wreck havoc on compromised machines' hard drives, for they replace application files (those with the .exe extension) with copies of themselves, rendering it impossible to launch programs.
Once Lovegate infects a system -- by getting the user to open the attached .exe, .pif, .scr,.com, .rar or .zip file -- it opens a backdoor to give the attacker control, then scans for systems on the network unpatched against the RPC DCOM vulnerability.
As part of its installation process, Lovegate strews itself throughout the hard drive, renaming applications with a .zmx extension and supplanting the now-useless application with a renamed copy of the worm. Run Microsoft Word on an infected machine, for instance, might only run the worm yet again.
"The virus might do this renaming operation to hundreds of .exe files in one go," said Finnish security firm F-Secure on its research team's blog. "End result: instead of finding one or two infected files, the user will find masses of them."
Such renaming tactics, dubbed "companion virus," were popular in the early 1990s, but have since largely fallen out of favor among hackers.
Lovegate also uses a tricky e-mail replication method; it tries to reply to all unread messages in Outlook and Outlook Express, then deletes them before the user can read them. These replies, which would include another copy of the worm, might include a Kipling poem that begins, "If you can keep your head when all about you are losing theirs and blaming it on you."
Some of the variants have been rated as bigger threats than others. McAfee, for instance, has tagged Lovegate.ad as a "Medium" threat, but has rated Lovegate.af as only "Low."
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=22104396
New Lovegate Worms Ruin Applications
By TechWeb News
Several new variations of the Lovegate worm broke loose on the Internet this week, bringing a once-dormant threat back to center stage.
In the past seven days, four new variants of Lovegate have appeared with a confusing array of names, ranging from Lovegate.y to Lovegate.ao, depending on which anti-virus vendor you're referencing.
Lovegate, which harks back to early 2003, is a mass mailing worm that spreads by hijacking addresses from infected machines and re-mailing itself. The newest variations, however, also use other tactics to propagate, including spreading through network shares and using the year-old vulnerability in Windows exploited to great effect by MSBlast.
These newer versions, however, can wreck havoc on compromised machines' hard drives, for they replace application files (those with the .exe extension) with copies of themselves, rendering it impossible to launch programs.
Once Lovegate infects a system -- by getting the user to open the attached .exe, .pif, .scr,.com, .rar or .zip file -- it opens a backdoor to give the attacker control, then scans for systems on the network unpatched against the RPC DCOM vulnerability.
As part of its installation process, Lovegate strews itself throughout the hard drive, renaming applications with a .zmx extension and supplanting the now-useless application with a renamed copy of the worm. Run Microsoft Word on an infected machine, for instance, might only run the worm yet again.
"The virus might do this renaming operation to hundreds of .exe files in one go," said Finnish security firm F-Secure on its research team's blog. "End result: instead of finding one or two infected files, the user will find masses of them."
Such renaming tactics, dubbed "companion virus," were popular in the early 1990s, but have since largely fallen out of favor among hackers.
Lovegate also uses a tricky e-mail replication method; it tries to reply to all unread messages in Outlook and Outlook Express, then deletes them before the user can read them. These replies, which would include another copy of the worm, might include a Kipling poem that begins, "If you can keep your head when all about you are losing theirs and blaming it on you."
Some of the variants have been rated as bigger threats than others. McAfee, for instance, has tagged Lovegate.ad as a "Medium" threat, but has rated Lovegate.af as only "Low."