Wednesday, July 14, 2004

Weekly Virus Report - Lovgate.AO and 3 New Worms

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (

Madrid, July 9 2004 - A virus called Lovgate.AO and three worms -Korgo.X,
Evaman. A and Bagle.AD- will be analyzed in this week's report on viruses
and intruders.

Lovgate.AO is a virus with worm-type characteristics and which spreads via
email and shared network drives and resources, and exploiting the Buffer
Overrun in RPC DCOM Interface vulnerability. It affects computers with
Windows 2003/XP/2000/NT and infects files with EXE extensions, inserting
code at the beginning and end of the files.

Lovgate.AO installs a backdoor on the infected computer, which listens on a
port selected at random. It does this in order to allow remote access to the
computer, and it takes action that could compromise the confidentiality of
data stored on the system (it collects information which it then sends to
the person who created the code) or impede the users from working on the
computer. In addition, if Lovgate.AO finds certain processes -related to
antivirus programs and other worms- active in memory, it terminates them.

The first actual worm that we'll look at today is Korgo.X, which uses the
Windows LSASS vulnerability to spread across the Internet and insert itself
automatically in computers. It also affects all Windows platforms, although
it only automatically enters system with Windows XP and 2000 that haven't
been updated.

The 'X' variant of Korgo goes memory resident and connects to a series of
IRC servers, from which it can download files and run them on the infected

The next worm we'll be talking about today is Evaman.A. It spreads via an
email simulating an error message, to all the addresses it finds on a
certain website. On some occasions, when Evaman.A is run for the first time
it opens Notepad.

This report will finish by looking at Bagle.AD, a worm that spreads both via
e-mail and P2P file-sharing applications.

Bagle.AD opens and listens on TCP port 1234 waiting for a remote connection.
Through this connection, it could allow an attacker to compromise
confidential data or take action that would impede the normal use of the
computer. This feature of the worm will remain active until January 24 2005.
To notify its creator that the PC is remotely accessible through the open
port, the worm connects to a website with a PHP script.

Bagle.AD eliminates entries corresponding to some variants of the Netsky
worm from the Windows registry, preventing it from activating when Windows
is started up. When it is run it displays a false error message.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:

Additional information

- String: A sequence of characters (letters, numbers, punctuation marks,

- Script / Script virus: The term script refers to files or sections of code
written in programming languages like Visual Basic Script (VBScript),
JavaScript, etc.

More technical definitions at:

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the