The following has been derived from information provided by McAfee and Symantec.

Virus Characteristics

W32/Lovgate.ad@MM is a mass mailing worm that uses its own SMTP engine. It will also use the RPC Interface Buffer Overflow vulnerability (MS03-026) to spread on the local network. It will arrive with the following characteristics:

From: (spoofed sender address)

Subject: (one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message Body: (one of the following)
pass
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary attachment.
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

Attachment: (one of the following with a bat, cmd, exe, pif, scr)
document
readme
doc
text
file
data
test
message
body


W32/Lovgate.ad@MM will reply to all incoming messages with the following message:
Subject: Re: <original subject>

Message Body:
'<sender name>' wrote:
======
<original message body>
======
Mail auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.


> Get your FREE YAHOO.COM Mail now! <

Attachment: (One of the following)
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe


Upon execution, W32.Lovgate.ad@MM may drop two files named Systra.exe and SVCHOST.EXE.EXE to the WINDOWS folder. It may also drop the following files to the Windows SYSTEM folder:
iexplore.exe
RAVMOND.exe
WinHelp.exe
HXDEF.EXE
Kernel66.dll
UPDATE_OB.EXE
TKBELLEXE.EXE

It may drop the following files to the Windows SYSTEM32 folder:
ODBC16.dll
msjdbc11.dll
MSSIGN30.DLL
LMMIB20.DLL

When infecting a system using the RPCDCOM exploit, the following files are dropped to the Windows SYSTEM32 folder:
SPOLLSV.EXE - an older variant of Lovgate
NETMEETING.EXE - an older variant of Lovgate

It will create three files in the root of all drives, except CD-ROMs:
AUTORUN.INF
COMMAND.EXE
A RAR or ZIP file containing a copy of the worm.

A log file from the backdoor component will be created in C named Netlog.txt.

It will drop a copy of itself to all network shares under the following file names:
Thank you.doc.exe
3D Flash Animator.rar.bat
SWF Browser2.93.txt.exe
Download.exe
Panda Crack.zip.exe
WinRAR V3.2.0 Beta 2.exe
Swish2.00.pif
AAdobe Photoshop7.0 creak.pif
You_Life.JPG.pif
CloneCD crack.exe
WinZip v9.0 Beta Build 5480 crack.exe
Real-DRAW PRO v3.10.exe
Star Wars Downloader.exe
HyperSnap-DX v5.20.01.exe
Adobe Photoshop6.0.zip.exe
HyperSnap-DX v4.51.01.exe

It will add the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Program in Windows" = "%system%\iexplore.exe"
"Protected Storage" = "RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"VFW Encoder/Decoder Settings" = "RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"WinHelp" = "%system%\WinHelp.exe"
"Hardware Profile" = "%system%\hxdef.exe..."
"Program in Windows" = "%system%\IEXPLORE.exe"
"Microsoft NetMeeting Associates, Inc." = "NetMeeting.exe"
"Shell Extension" = "%system%\spollsv.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"SystemTra" = "%Windir%\SysTra.exe"
"COM++ System" = "svchost.exe..."

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"run" = "RAVMOND.exe"

This worm will adds the following line to the [Windows] section of the Win.ini file:
run=ravmond.exe

This worm will create a share named "Media" which is mapped to Windows\Media folder.

The worm may create the following services:
"Windows Management Protocol v.0 (experimental)"
"_reg"
"Windows Management NetWork Service Extensions"

The worm will terminate any process containing the following strings:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

The worm will perform the following actions on any connected drive that is removable, mapped, or if the drive type is fixed with a drive letter greater than E:
- Attempts to rename all .exe files to .zmx.
- Sets their attributes to Hidden and System.
- Drop a copy of the worm as the original file name

If the worm process is stopped, a thread injected into EXPLORER.EXE or TASKMGR.EXE will attempt to launch Iexplore.exe.

This worm opens a backdoor on TCP port 6000.

The worm will copy itself to Kazaa-shared folders.

The worm will attempt to access the ADMIN$ shares of computers on the local network using the Administrator account with the following passwords:
Guest
Administrator
zxcv
yxcv
xxx
win
test123
test
temp123
temp
sybase
super
sex
secret
pwd
pw123
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login
Login
Internet
home
godblessyou
god
enable
database
computer
alpha
admin123
Admin
abcd
aaa
88888888
2600
2003
2002
123asd
123abc
123456789
1234567
123123
121212
11111111
110
007
00000000
000000
pass
54321
12345
password
passwd
server
sql
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
111
root
abc123
12345678
abcdefg
abcdef
abc
888888
666666
111111
admin
administrator
guest
654321
123456
321
123

The worm will search the Windows Address Book and WINDOWS\Local Settings, \Documents and Settings\<current user>\local settings, and Temporary Internet Files folder for email addresses contained in files with the following extensions:
txt
pl
wab
adb
tbb
dbx
asp
php
sht
htm


Payload

Mass Mailer.
Attempts to spread using the MS03-026 vulnerability and through the ADMIN$ share.
Drops numerous files to the local system.
Creates numerous registry keys.
Copies itself across network shares.
Terminates processes.
Opens backdoor on TCP port 6000.
Creates services.


Preventative Measures

Block all attachments containing the following extensions at the message gateway where possible:
bat
cmd
exe
pif
scr

Blocking connections to TCP port 6000 where possible.

Ensure network-shared folders have strong passwords.


Fixes Available

McAfee:
Minimum DAT: 4372
Release Date: 07/02/2004
Minimum Engine: 4.2.40

Symantec:
Virus Definitions (Intelligent Updater): July 02, 2004
Virus Definitions (LiveUpdate): July 07, 2004

Trend:
Pattern File: 924
Minimum Scan Engine: 6.500