Old-school worm loves Windows applications
Published: 07 Jul 2004 17:20 BST
The latest variant of the Lovgate worm scans PCs for executable files and then renames them, a tactic used by viruses from a much older generation, according to antivirus companies.
The Lovgate worm first appeared in February 2003 and has since mutated many times. The most recent versions of the worm -- Lovgate.AE and Lovgate.AH -- were discovered on Sunday. They spread by emailing themselves to addresses found on an infected machine and then open a "back door" to give control of the infected system to an attacker. Finally, the worms scan for vulnerable PCs connected to the infected system's local network -- using the same Windows vulnerability exploited by the MSBlast worm almost a year ago.
The most important difference is the worm's destructive nature. Although the latest Lovgate worm does not delete any user data -- such as documents or spreadsheets -- it replaces executable files (with the .exe extension) on the local hard drive with further copies of itself. This process can leave an infected computer effectively useless because it is unable to run any applications.
Carole Theriault, security consultant at antivirus firm Sophos, said the latest Lovgates are "ancient-style viruses" because they are so destructive.
"Five years ago this was the main way viruses spread -- they got in a system and changed everything, leaving the victim with a useless piece of kit that needed to be restored using a back-up," said Theriault.
Finnish antivirus firm F-Secure warned that Lovgate is capable of destroying most of the executable files on an infected computer.
"The virus might do this renaming operation to hundreds of .exe files in one go. The end result is that instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal," the company reported on its labs Web log.
Antivirus firm McAfee's Emergency Response Team increased the threat level of the new Lovgate variants to "Medium" after discovering more than 100 samples of the worm within the first 24 hours of its discovery.
As ever, users are advised not to open email attachments unless they are absolutely sure they are safe and to ensure Windows and other applications are kept up to date with the latest patches.
Did you find this article useful?
86 out of 180 people found this useful
- Share this article:
Full Talkback thread
1 comment
