Computer Crime Research Center

LoveGate worm's got a hold on PCs

A mass-mailing computer virus compromised a moderate number of PCs worldwide on Monday, installing a Trojan horse program that allows a remote intruder easy access to a victim's system, said antivirus experts. Known as LoveGate, the LovGate.C program has many similarities to previous viruses: It is a binary program; it has its own e-mail engine, obviating the need to use another program such as Microsoft Outlook to send messages; and it attempts to use 16 simple passwords to break into and spread to other computers on the victim's network.

"In terms of the technology that it uses, all the individual capabilities have been seen before," said Steve Trilling, senior director of research for security software company Symantec. The worm is a variant of the LovGate.A virus, also known as w32.lovegate@m, which was first seen on the Internet last week.

Symantec rated the worm a "3"--or medium threat--on its five-point scale of computer-virus risk. Trilling said that to a large extent the level of the grade is due to the large number of incident submissions from 18 of the company's corporate clients. Rival firm Network Associates also rated LoveGate a medium threat. Both firms have updated the definitions available to allow their software to detect the worm.

The LoveGate virus generally first appears as an attachment to an e-mail message. It uses typical social-engineering tricks--such as e-mail headers that promise free software, ask for help or advertise sexual content--to convince PC users to run the attached program. It then integrates itself with the victim's operating system.

As part of its attack, the worm installs and runs a Trojan horse program consisting of four files. When it runs, the program notifies the virus's author of the compromised machine's address via e-mail, and opens up port 10168. Ports are the software addresses used by applications running on one computer to communicate with other applications running on other systems across a network.

By knowing the Internet address of the victim's computer, the port number and the password used by the Trojan horse, an intruder can take control of an infected PC.

While the virus could be a security threat for infected companies and home users, it hasn't yet spread very widely.

E-mail service provider MessageLabs intercepted nearly 4,000 e-mails containing the malicious program in the first 12 hours of its spread. The e-mails came from South Africa, the United Kingdom, Italy, Germany, Belgium, China and the United States.

That falls well short of the propagation of the top-dog computer virus, Klez.H. Computers infected with the 10-month-old malicious computer program still produce more than 12,000 e-mails that are detected by MessageLabs every day.

Two other viruses, Sobig and Yaha, are currently in the No. 2 and No. 3 slots on MessageLabs' list of most prevalent intercepted code. Both have created more than 4,000 e-mail messages that have been filtered by the company.

Source: Robert Lemos @ CNET News.com

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83