Worm variant is spreading from Asia

Worm variant is spreading from Asia

A new variant of the Lovgate worm, first discovered Feb. 19, has been identified in the wild and is reported to be spreading in the Eastern Hemisphere.

Lovgate.C is a mass mailing worm that spreads through Microsoft Windows network shares and installs a backdoor Trojan horse. It sends information gathered from infected computers to what seems to be a Chinese Web portal.

Several computer security companies have issued alerts about the worm. IDefense Inc. of Chantilly, Va., gave it a high-severity rating. The Finnish company F-Secure Corp. gave it a Level 2 alert on a three-level scale, calling it a localized but fast-spreading infection. By Monday morning, it was reported in Australia, France, Japan and Taiwan.

'At least two variants of the Lovgate worm are spreading in the wild,' said Ken Dunham, senior intelligence analyst for iDefense. 'Lovgate.C has had the most success in the wild. It has been modified to avoid detection by major antivirus software.'

At least 10 subject lines, e-mail bodies and attachment filenames have been found for the new worm, but the attachment always is an executable file with a .EXE extension. The worm has its own Simple Mail Transfer Protocol engine and connects to the host smtp.163.com to deliver information including stolen passwords from the compromised computers, according to F-Secure.

Recommended actions to protect against the worm until antivirus signatures are available include blocking all .EXE e-mail attachments. 'Hardening all network shares against the brute force attack used by the worm and using a firewall will also aid in preventing or mitigating' infections, Dunham said. 'Administrators may want to block outgoing traffic on TCP Port 25 to the server smtp.163.com, a China-based SMTP server used by the worm to send out malicious e-mails.'

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • analytics (Wright Studio/Shutterstock.com)

    3 data strategies to help crackdown on internal corruption

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group