Lovgate Worm Is on the Loose

Variant to mass-mailing worm poses as an authentic-looking business e-mail.

A new variant on the Lovgate worm began spreading early Monday, posing as an authentic-looking business e-mail, according to security researchers.

Lovgate.C spreads from an infected machine using the MAPI Windows functions by answering recent mail with an infected reply. The worm comes packaged in mail with the subject: "Ill try to reply as soon as possible. Take a look to the attachment and send me your opinion!"

The worm affects Microsoft Corp. Outlook and Outlook Xpress users on Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP and Windows Me operating systems.

"Lovgate is one of the largest cases weve seen this year, and is still gaining ground, although it is no Nimda or Slapper," said Mikko Hypponen, manager of anti-virus research for F-Secure in Helsinki, Finland . "The worms dual mechanism for spreading seems to be efficient in the real world; in those systems where it cannot spread vie e-mail, it will spread via network shares, and vice versa. Reports have been received from Asia, the U.S., South Africa, and Europe. The numbers arent huge, but it is everywhere."

In addition to its mass-mailing functionality, Lovgate spreads through Windows shares and can steal users passwords, according to security researchers at F-Secure, which posted an advisory on the worm and rated it Level 2, or a medium-grade threat. The worm is spreading widely, but is easily contained and removed. Lovgate also has backdoor capabilities allowing the attacker to manipulate infected machines, F-Secure officials said. The worm apparently sends private user information back to a China-based Web portal.

In a stark reminder to administrators to police their password policies, Lovgate.C copies itself to shares and shares subfolders, and, if they are password protected, the worm tries usernames and passwords such as "guest," "administrator," and a series of simple number and letter combinations such as "abcdef" and "abc123."

If it gains access, it will copy itself to a file named "stg.exe" in the "System32" Windows folder and will attempt to run it, F-Secure officials said. The worm also has key-logging capabilities.

"Lovgate is an opportunistic worm: it exploits what works," said Sam Curry, product manager for Computer Associates International Inc.s eTrust security unit, in Islandia, N.Y. "It uses several social engineering "tricks" to manipulate as many users as possible into opening it. It also abuses one of the most common weak security policies in the world—weak passwords.

"People generally choose easy-to-remember, easy-to-type or simple-to-guess passwords," Curry said. "Worse, a lot of companies never do the very basic, minimum modifications that they should always do. They never change default passwords. Lovgate is opportunistic and it takes advantage of the all-too-common weak passwords that are so common in the wild, at homes and in corporations.

"When Lovgate infects a system, it accesses all shares that it can. It reaches out from an infected system and tries the most basic and common passwords," Curry added "These should never work, but they do because people continue to make poor password choices and still dont change basic, default passwords. Lovgate isnt innovative or creative; it is merely opportunistic, taking advantage of some basic human mistakes that are well documented and understood."