Date Discovered: 3/22/2004
Date Added: 3/24/2004
Length: 114,176 bytes
This detection is for a new variant of W32/Lovgate. It bears the following characteristics:
Mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.
drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)
attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
Such copies of the worm may be enticingly named, or within ZIP or RAR archives. The worm carries a list of typical username/password combinations which it uses in attempting to get write access to remote shares
if it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely executes itself as a service on the remote machine.
creates a share on the victim machine (share name "MEDIA").
Renames the extensions of EXE files to ZMX.
Terminates certain processes
Your favorite shows are back!
Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!