I-Worm.Lovgate (aka Supnot)
I-Worm.Lovgate (aka Supnot ) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a "backdoor" routine. There are several worm variants known which are very similar to each other.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by AsPack.
The file sizes are:
"Supnot.a": about 85K, decompressed size - about 200K)
"Supnot.b": about 77K, decompressed size - about 164K)
"Supnot.c": about 79K, decompressed size - about 165K)
The worm activates from infected email only when a user clicks on the attached file. While spreading through local area networks the worm tries to run its remote copies by using WinNT functions.
When run the worm installs itself to the system, runs its spreading and backdoor routines.
Installing
While installing the worm copies itself to the Windows system directory
under several names and registers these files in the system registry auto-run
key (under WinNT) and/or in the "run" command in the WIN.INI file (under
Win9x).
Worm copies have the following names:
rpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, WinRpcsrv.exe
The registry keys are:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Run = rpcsrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
syshelp = %SystemDir%\syshelp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinGate initialize = %SystemDir%\WinGate.exe
-remoteshell
Module Call initialize = RUNDLL32.EXE reg.dll
ondll_reg
HKCR\txtfile\shell\open\command
winrpc.exe %1
Spreading: email
To spread in emails 'supnot' uses two different methods:
1. The worm looks for "*.HT*"-files (HTM, HTML) in the current directory, Windows directory and the "My Documents" directory (including subdirectories as well), scans them for email-like text strings and sends infected messages to addresses found. To send infected message the worm uses a direct connection to the default SMTP server, or connects to the "smtp.163.com" server.
Following are different variations of 'supnot' message attributes:
Subject:
Text:
Attachment:
Cracks!
Check our list and mail your requests!
CrkList.exe
The patch
I think all will work fine.
Patch.exe
Last Update
This is the last cumulative update.
LUPdate.exe
Do not release
This is the pack ;)
Pack.exe
Beta
Send reply if you want to be official beta tester.
_SetupB.exe
Help
I'm going crazy... please try to find the bug!
Source.exe
Evaluation copy
Test it 30 days for free.
Setup.exe
Pr0n!
Adult content!!! Use with parental advisory.
Sex.exe
Roms
Test this ROM! IT ROCKS!.
Roms.exe
Documents
Send me your comments...
Docs.exe
The worm gets emails from Inboxes and "answers" them by using Windows
MAPI functions. Replies look like:
Subject: Re: [original email subject]
Text:
[user name] wrote:
====
> [original email text]
====
[email domain name] account auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '
> Get your FREE [email domain name] account now! <
for example:
'Pedro Gomez' wrote:
====
> Hi!
====
aaa.com account auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
'
> Get your FREE aaa.com account now! <
The attached file name is randomly selected from the following variants:
pics.exe
SETUP.EXE
images.exe Card.EXE
joke.exe
billgt.exe
PsPGame.exe midsong.exe
news_doc.exe s3msong.exe
hamster.exe docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe
Infecting Local Networks
The worm finds network resources (shared writeable disks and directories)
and copies itself to them under randomly chosen names:
pics.exe
SETUP.EXE
images.exe
Card.EXE
joke.exe
billgt.exe
PsPGame.exe
midsong.exe
news_doc.exe
s3msong.exe
hamster.exe
docs.exe
tamagotxi.exe humor.exe
searchURL.exe fun.exe
If a network resource is password protected it also tries to request
'write' access using the following information:
Login: "guest", "Administrator"
Password: "123", "321", "123456", "654321", "administrator",
"admin",
"111111",
"666666", "888888", "abc", "abcdef", "abcdefg", "12345678", "abc123"
If the login is successful the worm creates a remote copy of itself named "stg.exe" and tries to launch it on the remote computer.
Backdoor
Supnot launches a "backdoor" routine that uses the IPC (Interprocess Communication) technique: it creates a pipe connected to a command processor that is launched on the victim computer - CMD.EXE in Windows NT/2000/XP or COMMAND.COM in Windows 9x/ME. This allows the worm's "owner" to control the victim computer remotely.
The backdoor is launched three different ways:
as a thread in the worm's process
as a part of the "LSASS.EXE" process (under WinNT)
as stand-alone DLL-files "ily.dll", "Task.dll", "reg.dll" that are
stored in the Windows system directory.
The three methods of executing the backdoor carry the identical
payload routine.
Other
While sending e-mail messages, the worm creates a temporary file
called "CH0016.TMP" in the Windows temporary directory.
The worm also sends a 'notification' e-mail to its "owner" that contains the infected computer's name, IP address, and current user name.
This email contains the following "copyright" string:
My I-WORM-and-IPC-20168 running!
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
260203/100904
