The worm, known as LoveGate.C, arrives as an e-mail with an
infectious .exe attachment. According to MessageLabs, the worm
replies to a genuine message, using the same subject line. In many
cases, its body text says: "I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion."
The infectious file attachment is written in Microsoft Visual
C/C, is compressed using ASPack and is 78,848 bytes in size. The
most common attachment file names include: billgt.exe, card.exe,
docs.exe, fun.exe, hamster.exe, humor.exe, images.exe, joke.exe,
midsong.exe, news_doc.exe, pics.exe, pspgame.exe, s3msong.exe,
searchurl.exe, setup.exe and tamagotxi.exe.
The worm incorporates its own SMTP engine, which it uses to
deliver its e-mail. This means that, if the infected computer is
running Microsoft Outlook or Outlook Express, the worm
automatically replies to new incoming e-mails, or to any e-mails it
finds in the user's Inbox.
The worm also appears to be able to harvest passwords from the
infected computer, which may then be e-mailed to the user's e-mail
contacts, according to MessageLabs. Also, it is thought that the
worm may spread via shared network files.
Last but not least, LoveGate.C contains a key-logging component,
which allows the infecting machine to be controlled remotely,
therefore leaving a "back door" on the infected system for further
attacks, such as stealing confidential information, deleting files
or running other applications.
At present, LoveGate.C is reportedly active in 27 countries.
Hong Kong, South Africa, UK, Germany, Italy, Belgium, China are
currently the countries worst affected. The worm appears to be
slowing down in the US.
According to MessageLabs, over 6,000 occurrences have been
detected so far in the above mentioned countries.
More information about the worm can be found at:
www.messagelabs.com/viruseye/report.asp?id=131
