|The W32.HLLW.Lovgate.O@mm worm is a variant of W32.HLLW.Lovgate@mm.
This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox.
The "sender" of the email is spoofed and its subject line and message vary.
The attachment name varies with a .exe, .pif, or .scr file extension.
This worm also attempts to copy itself to all the computers on a local network using the weak passwords to attempt to log in as an Administrator
and to the Kazaa-shared folders.
Copies itself as the following: %Windir%\Systra.exe; %System%\iexplore.exe; %System%\Media32.exe; %System%\RAVMOND.exe; %System%\WinHelp.exe; %System%\Kernel66.dll
Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE into that folder.
Creates a zip file . in the root folder of all the drives, unless the drive letter is A or B. For example: setup.rar or pass.zip.
Creates the following files: %System%\ODBC16.dll, %System%\msjdbc11.dll, %System%\MSSIGN30.DLL
These files are all the same?they are backdoor components of the worm.
Modifies the (Default) value of the registry key: HKEY_CLASSES_ROOT\exefile\shell\open\command
to: %System%\Media32.exe "%1" %* so that the worm runs when you execute any .exe files.
Terminates all the processes that contains any of the following strings:
KV, KAV, Duba, NAV, kill, RavMon.exe, Rfw.exe, Gate, McAfee, Symantec, SkyNet, rising
In the key:
please delete the values:
"Program in Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
Navigate to the key:
and delete the value:
In the key:
delete the value:
And delete the subkey, if exists: