Old-school worm loves Windows applications

The latest variant of the Lovgate worm scans PCs for executable files and then renames them, a tactic used by viruses from a much older generation, according to antivirus companies.

The Lovgate worm first appeared in February 2003 and has since mutated many times. The most recent versions of the worm–Lovgate.AE and Lovgate.AH–were discovered on Sunday. They spread by e-mailing themselves to addresses found on an infected machine and then open a “back door” to give control of the infected system to an attacker. Finally, the worms scan for vulnerable PCs connected to the infected system’s local network–using the same Windows vulnerability exploited by the MSBlast worm almost a year ago.

The most important difference is the worm’s destructive nature. Although the latest Lovgate worm does not delete any user data–such as documents or spreadsheets–it replaces executable files (with the .exe extension) on the local hard drive with further copies of itself. This process can leave an infected computer effectively useless because it is unable to run any applications.

News source: Cnet News Carole Theriault, security consultant at antivirus firm Sophos, said the latest Lovgates are “ancient-style viruses” because they are so destructive.

“Five years ago this was the main way viruses spread–they got in a system and changed everything, leaving the victim with a useless piece of kit that needed to be restored using a back-up,” Theriault said.

Finnish antivirus firm F-Secure warned that Lovgate is capable of destroying most of the executable files on an infected computer.

“The virus might do this renaming operation to hundreds of .exe files in one go. The end result is that instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal,” the company reported on its labs Web log.

Antivirus firm McAfee’s Emergency Response Team increased the threat level of the new Lovgate variants to “medium” after discovering more than 100 samples of the worm within the first 24 hours of its discovery.

As ever, users are advised not to open e-mail attachments unless they are absolutely sure they are safe and to ensure Windows and other applications are kept up to date with the latest patches.


Please enter your comment!
Please enter your name here