Lovgate worm starts to spread

An email with a random selection of subject lines tries to get email users to 'take a look at the attachment' - and setts off a mass-mailing worm when they do

Antivirus vendors are warning internet users to look out for yet another worm -- the second to strike this month.

Called Lovgate, the worm has three variants (A, B and C), and is slightly more difficult to spot than the earlier "Catherine Zeta Jones" malware, as emails carrying it come with random subject lines and contain attachments with a range of file names.

From the copies so far intercepted, the email body text may contain the words, "I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion!"

The file attachment is written in Microsoft Visual C/C++ and is compressed using ASPack and is 78,848 bytes in size, according to antivirus specialist MessageLabs. Attachment file names may include: BILLGT.EXE, CARD.EXE, DOCS.EXE, FUN.EXE, HAMSTER.EXE, HUMOR.EXE, IMAGES.EXE, JOKE.EXE, MIDSONG.EXE, NEWS_DOC.EXE, PICS.EXE, PSPGAME.EXE, S3MSONG.EXE, SEARCHURL.EXE, SETUP.EXE, TAMAGOTXI.EXE.

According to the company's initial analysis, Lovgate is a mass-mailing worm that incorporates an SMTP engine and a backdoor component.

In a statement released this morning, MessageLabs said that although the virus contains an SMTP engine, it attempts to connect to a host on the Internet (SMTP.163.COM) to deliver its email. When activated, the virus may try to reply to any emails it finds in the recipient's inbox, attaching itself to the email.

MessageLabs added that it also appears to be able to harvest passwords from the recipient's machine, which may then be emailed to a number of email contacts.

According to Trend Micro, a notification message is sent to two addresses: 54love@fescomail.net and hacker117@163.com. This notification message is present in both WORM_LOVGATE.B and WORM_LOVGATE.C, suggesting that both variants have been created by the same virus author. The two email addresses belong to a network in Beijing, China.

The backdoor component may open TCP port 10168, allowing the machine to be controlled remotely. The worm may also have the ability to spread via various network shares.

The worm has affected around 300 users to date, most of whom were based in Asia, according to Trend Micro. MessageLabs says that it was first seen in the US, and is most active in Belgium, South Africa and the US.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.