|W32.Lovgate.R@mm is a variant of W32.Lovgate@mm.
It is a mass-mailing worm that attempts to email itself to all the email addresses that it finds on the computer.
The "sender" of the email is spoofed, and the subject line and message body of the email vary.
Also known as W32/Lovgate.x@MM, I-Worm.LovGate.w
Copies itself as these files:
Adds the values:
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds the value: "SystemTra"="%Windir%\Systra.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Adds the values:
to the registry key:
May create the subkey:
Stops the following services: Rising Realtime Monitor Service, Symantec Antivirus Server, Symantec Client.
Scans all the computers on the local network, and uses the following passwords to attempt to log in as "Administrator."
Starts an FTP server on a random port, no authentication required, which means that the infected computer is accessible to anyone.
Creates the file, Autorun.inf, in the root folder of all the drives, except the CD-ROM drives, and copies itself as Command.com into that folder.
Scans all the drives, if the drive type is removable or mapped or the drive type is fixed with a drive letter greater than E.
The worm will do the following on all the found drives:
Attempts to rename the extension on all .exe files to .zmx.
Sets the attributes to Hidden and System on these files.
Copies itself as the original file name.
For example, if the worm finds OriginalFile.exe, it will be renamed to OriginalFile.zmx. The worm will then copy itself as OriginalFile.exe.
Attempts to spread to other computers by exploiting the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Scans the system WAB file, temporary Internet files, and all the fixed and ram disks, and it sends itself to all the email addresses it found.
Uses its own SMTP engine to send itself to the email addresses that it finds in step 25 and 26.
Use antivirus (also check How To Remove section)Startup Optimizer to remove it from startup.