The Second Coming Of the "Lovgate" Worm

13 May 2003
Virus News


Kaspersky Lab, an international data security software developer, reports the detection of five new modifications of the "Lovgate" Internet worm, first detected at the end of February 2003 (to read about it please click here). Presently, there have already been multiple registered infections at the hands of this malicious program in Japan. Essentially the new modifications that have received the indices, "H", "I", "J", "K" and "L" do not differ from their predecessors. "Lovgate" spreads via e-mail and local area networks. It only infects a computer if the user launches the file carrying the worm, which is sent in the form of an attachment or copied to a shared network resource. Additionally, "Lovgate" installs on infected machines a spyware program that allows a malefactor to clandestinely control the computer and with which it is possible to leak out confidential information. Distinguishing the new modifications from one another is their respective realization. The worm's author re-worked the original "Lovgate" source code and anew compiled its executable modules. In this way, by preserving the functionality only the external appearance of the worm has changed. "In recent days several worms (including Fizzer and Lovgate) that infect the old fashioned way, using an infected attachment, have burst into the ranks of the Top 20 most widely spread viruses. This fact is particularly surprising as it had seemed such primitive methods of social engineering were already well-known to users and had faded into the past", commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Lab. "Taking this into account, we consider it necessary, once again, to remind users of two fundamental rules of computer hygiene, to - regularly update anti-virus program databases and always check all incoming data, especially e-mail". The first reports of infection from the new "Lovgate" modifications shows how quickly an epidemic can sweep through other parts of the world, especially Europe and the United States. Undoubtedly, copies of the worm already live in the mailboxes of uncareful users, waiting for their chance to spring forth. Early in the working day in other countries a spike in "Lovgate" activity should be expected. Kaspersky Lab figures that in the course of 3-4 days this epidemic will be neutralized and "Lovgate" propagation will be describable as sporadic. This will be the case as leading anti-virus software developers have already released the defense against this worm, also the worm clearly manifests itself, leading users to take the necessary steps to remove it. The defense against all new modifications of "Lovgate" have been added to Kaspersky Anti-Virus databases. More detailed information about this malicious program can be accessed in the Kaspersky Virus Encyclopedia.