- 19 May 2004 13:48
THREAT ADVISORY: McAfee AVERT Raises Risk Assessment to Medium on New W32/LOVGATE.AB WORM
McAfee AVERT Raises W32/Lovgate.ab@MM to Medium Based on Increased Prevalence
SYDNEY, May 19, 2004—Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Lovgate.ab@MM, also known as Lovgate.ab. Lovgate.ab is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine in the form of a .ZIP archive, or as an .EXE, SCR, .PIF. CMD or .BAT file. McAfee AVERT researchers, which first saw the worm yesterday, have received over 100 samples of Lovgate.ab from both real customer submissions and virus-generated mail from customers around the world.
Lovgate.ab is an Internet worm that once activated emails itself to addresses found on the victim’s machine in the form of an attachment with a .ZIP archive, or as an .EXE, SCR, .PIF. CMD or .BAT file. The ZIP file may have a .ZIP or .RAR extension, and may also be dropped to the root of local and mapped drives. The virus also has the ability to perform a companion infection of .EXE files, replacing the original file with a copy of itself and the renaming the original with a .ZMX extension. The worm also terminates processes associated with various anti-virus and security products. Users should immediately delete any email containing the following:
From: address is spoofed. It may be one of the harvested email addresses, or constructed using random characters or one of the following forenames the worm carries, followed by a domain: • sandra
Subject: Re: (original subject) The message may be constructed with various subject and message bodies.
Lovgate.ab emails itself in two ways, by constructing its own messages using its built-in SMTP engine, or replying to messages on the local system. When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries. The worm then attempts to drop a back-door component, copy itself to poorly secured remote shares and create a share on the victim’s machine called “MEDIA.” If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. The worm also adds a registry key that helps it activate at the system start-up.
Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_125301.htm. Users of McAfee Security products should update their systems from that page. Protection is available with the 4361 DATs and the 4.2.40 or later scanning engine to stop potential damage. In addition, the backdoor component of Lovgate.ab is detected as BackDoor-AQJ, since the 4339 DATS.
Network Associates McAfee Protection-in-Depth Strategy delivers the industry’s only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing more than 100 researchers in offices on five continents. McAfee AVERT protects its customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
About Network Associates
With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com/.
# # #
NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 Networks Associates Technology, Inc. All Rights Reserved.