Weekly Virus Report – Lovgate and Gibe Worms, CrazyBull Trojan and Ekiam Macro Virus

This week’s virus report will focus on variants ‘C’ and ‘E’ of Lovgate, the Gibe.B worm, the CrazyBull Trojan and a macro virus called Ekiam.

Lovgate.C and Lovgate.E are worms/Trojans that have the following common characteristics, among others:

– They spread across local networks and via e-mail.

– They reply to the messages they find in the Inbox of the e-mail client.

– They send out a large number of e-mails with infected attachments to the addresses they find in the Inbox and in certain directories.

– They are also programmed to act as Trojans. To do this they open a TCP port, leaving the affected computer vulnerable to remote attacks and they send an e-mail message to the virus author, containing confidential information, such as the IP address, the machine name and the user name.

– They create a large number of copies of themselves in the shared network drives they access.

– Both variants are written in the Visual C++ programming language.

The main differences between the ‘C’ and ‘E’ variants of Lovgate are:

– The TCP port they use when they act as Trojans. Lovgate.C usually opens port 10168, while Lovgate.E uses 1192 in NT computers and 10168 in the rest.

– Lovgate.E also captures the keystrokes entered by the user of the affected computer.

– The file that carries out the infection in Lovgate.C is 78,848 bytes in size and compressed with Aspack, whereas the Lovgate.E file is 99,296 bytes and compressed with a modified UPX compressor.

The third worm in today’s report is Gibe.B, whose effects are more annoying than damaging. This virus spreads rapidly via e-mail, the file-sharing program KaZaA, IRC chat and shared network drives. The messages sent by this worm mimic a Microsoft security update.

Gibe.B exploits two vulnerabilities in Internet Explorer (Exploit IFRAME and Incorrect MIME header). For this reason, if this malicious code reaches computers via e-mail, the computer will become infected when the message carrying the worm is viewed through Outlook’s Preview Pane.

CrazyBull is a backdoor Trojan that allows hackers to gain remote access to the resources on the computers it infects (printer, programs, documents, etc.). This malicious code can only attack computers that are TCP/IP network clients.

We are going to finish this week’s report with Ekiam, a macro virus that infects Word documents and the global template used by this application and disables the macro antivirus protection incorporated in Word. After carrying out its infection, Ekiam changes the name of the registered user of the operating system (if the Spanish version is installed).