VIRUS INFO
Naziv virusa: W32/Lovegate
Alias:
Tip: worm
Način širenja: e-mailom
Veličina: 78 848 bajtova
Destruktivan:
ne
Datum aktiviranja: startovanjem pristiglog attachmenta
Otkriven: 23.02.2003.

OBJAŠNJENJE
Stiže kao e-mail sa sledećim karakteristikama:

Subject: Documents
Telo poruke: Send me your comments...
Attachment: Docs.exe

Subject: Roms
Telo poruke: Test this ROM! IT ROCKS!.
Attachment: Roms.exe

Subject: Pr0n!
Telo poruke: Adult content!!! Use with parental advisory.
Attachment: Sex.exe

Subject: Evaluation copy
Telo poruke: Test it 30 days for free.
Attachment: Setup.exe

Subject: Help
Telo poruke: I'm going crazy... please try to find the bug!
Attachment: Source.exe

Subject: Beta
Telo poruke: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe

Subject: Do not release
Telo poruke: This is the pack ;)
Attachment: Pack.exe

Subject: Last Update
Telo poruke: This is the last cumulative update.
Attachment: LUPdate.exe

Subject: The patch
Telo poruke: I think all will work fine.
Attachment: Patch.exe

Subject: Cracks!
Telo poruke: Check our list and mail your requests!
Attachment: CrkList.exe

kao Reply stiže sa attachmentima:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe

Crv će kreirati sledeće fajlove:
C:\ WINDOWS \ SYSTEM \ PCSRV.EXE
C:\ WINDOWS \ SYSTEM \ SYSHELP.EXE
C:\ WINDOWS \ SYSTEM \ WINGATE.EXE
C:\ WINDOWS \ SYSTEM \ WINRPC.EXE
C:\ WINDOWS \ SYSTEM \ WINRPCSRV.EXE

Posle ovoga crv ce kreirati sledeće ključeve u Registry bazi:
HKLM\Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ syshelp
= "C:\WINDOWS\SYSTEM\SYSHELP.EXE"

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ WinGate initialize = "C:\WINDOWS\SYSTEM\WINGATE.EXE -remoteshell"

HKLM \ Software \ CLASSES \ txtfile \ shell \ open \ command = "winrpc.exe %1"


Ovaj crv je još i trojanac jer na korisnikovom računaru otvara TCP port 10168 preko kojeg mediator može da pristupa korisnikovom računaru dok je on na Internetu. Kada crv otvori ovaj port, biće poslat e-mail na adrese hacker117@163.com i hello_dll@163.com sa obaveštenjem da mediator može da pristupa korisnikom računaru.

 

REŠENJE
Preuzmite cleaner. ( )






  Na ovim stranicama ćete uvek biti obavešteni o novim virusima koji se pojavljuju kao i načinom uklanjanja istih sa vašeg računara. Pored virusa, na ovom sajtu možete naći najefektnije načine zaštite od virusa kao i zaštita od upada u vaš računar.  


 

Virus Informacioni Centar je otvoren za sva vaša pitanja, preloge, kao i sugestije u vezi ovog sajta.

Virus Informacioni Centar
Neobee.net ISP
Email : virus@neobee.net
ICQ : 48089085

  
VIrus Informacioni centar
Broj poseta31231 poseta od 23.03.2001.