Worm/Lovgate.W

W32.HLLW.Lovgate.I@mm [Symantec], WORM_LOVGATE.W [Trend Micro]

Type: Worm

Systems Affected: Windows98, Windows 2000, Windows 2003, Windows XP

Overview:W32.HLLW.Lovgate.I@mm is a variant of W32.HLLW.Lovgate@mm, it spreads via the Internet as an attachment to infected emails, and sends itself to other computer's email addresses. It can also disguise itself as the Windows process, "LSASS.EXE".

Symptoms of Worm/Lovgate.W:

1. Once launched, the worm would be copy itself as the following:
[system driver]\windows\system32\WinDriver.exe
[system driver]\windows\system32\Winexe.exe
[system driver]\windows\system32\WinGate.exe
[system driver]\windows\system32\RAVMOND.exe
[system driver]\windows\system32\IEXPLORE.EXE
[system driver]\windows\system32\WinHelp.exe

2. Automatic creates file:
[system driver]\windows\system32\kernel66.dll
[system driver]\windows\system32\ily668.dll
[system driver]\windows\system32\task668.dll
[system driver]\windows\system32\reg667.dll

Related trojan:Mytob, IRC-Worm.Tiny.e, I-Worm.Ronoper, Darkmoon

Remove Worm/Lovgate.W:

1. Copying "Regedit.exe" to "Regedit.com".
a. Click "Start", and then click Run.
b. Type "command", and then press Enter.
c. Type "cd\" -> "cd \windows" and Press Enter.
d. Type "copy regedit.exe regedit.com" and Press Enter.
e. Type "start regedit.com" and Press Enter.

2. Navigate to and select the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. In the right pane, delete the values:
Program in Windows %system%\iexplore.exe
"Remote Procedure Call Locator"="rundll32.exe reg678.dll ondll_reg"
"WinGate initialize"="%system%\WinGate.exe -remoteshell"
"winhelp"="%system%\winhelp.exe"

4. Navigate to and select the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

5. In the right pane, delete the value: "run".

6. Close Registry Editor.

7. You can also use antivirus software to remove the worm quickly:
Norton Internet Security 2009