Lovgate.F has the following effects:

• It creates a large number of copies of itself in the shared network directories and subdirectories. These files can be run by users of other computers connected to the same network as the infected computer. By doing this, these computers will also be infected.
• If the affected computer is connected to a network, it tries to gain access to the rest of the computers in the same network in order to copy a file containing the virus code to these computers.

Lovgate.F creates the following files:

• A large number of copies of itself in the shared network directories and subdirectories. These files have random names. Some of these are:
  ARE YOU LOOKING FOR LOVE.DOC.EXE, AUTOEXEC.BAT, THE WORLD OF LOVERS.TXT.EXE, HOW TO HACK WEBSITES.EXE, PANDA TITANIUM CRACK.ZIP.EXE, MAFIA TRAINER!!!.EXE, 100 FREE ESSAYS SCHOOL.PIF, AN-YOU-SUCK-IT.TXT.PIF, SEX_FOR_YOU_LIFE.JPG.PIF, CLONECD + CRACK.EXE, AGE OF EMPIRES 2 CRACK.EXE, MOVIEZCHANNELSINSTALER.EXE, STAR WARS II MOVIE FULLDOWNLOADER.EXE, WINRAR + CRACK.EXE, SIMS FULLDOWNLOADER.ZIP.EXE or MSN PASSWORD HACKER AND STEALER.EXE.

• WINDRIVER.EXE, RAVMOND.EXE, IEXPLORE.EXE, WINGATE.EXE, WINHELP.EXE and WINRPC.EXE in the Windows system directory, which are also copies of the worm.

• KERNEL66.DLL, 111.DLL, ILY668.DLL, REG678.DLL and TASK688.DLL. In computers with the operating systems Windows XP/2000/NT , it creates these  files in the Windows system directory in order to carry out backdoor Trojan functions.

Lovgate.F creates the following keys in the Windows Registry in order to ensure that it is run when Windows is started:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run=
  Remote Procedure Call Locator RUNDLL32.EXE reg678.dll ondll_reg

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows\ run
  RAVMOND.exe

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run=
  Winhelp %systemdir%\Winhelp.exe
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run=
  Wingate initialize %systemdir%\Wingate.exe -remoteshell
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run=
  Program In Windows %systemdir%\IEXPLORE.EXE
  (where %systemdir% is the Windows sytem directory).

The worm also changes the following entry in the Windows Registry:

• HKLM\ Software\ Classes\ txtfile\ shell\ open\ command\
  C:\WINDOWS\NOTEPAD.EXE %1
  It changes the value C:\WINDOWS\NOTEPAD.EXE %1 to winrpc.exe %1
  By modifying this key, it ensures that it is run every time a file, with a TXT extension is opened.

It also creates the following services in NT machines:

• Name: ll_reg
  Parameters: Rundll32.exe Task.dll ondll_server
• Name: NetMeeting Remote Desktop (RPC) Sharing
  Parameters:%sysdir%\WinRpcsrv.exe -start_server
• Name: Windows Management Instrumentation Driver Extension
  Parameters:Rundll32.exe Task.dll ondll_server

Lovgate.F spreads through e-mail and shared network drives.

Propagation through shared network drives. 

Lovgate.F follows the infection routine below:

• It creates copies of itself in shared network directories and subdirectories in the network. Even if these directories are password-protected, Lovgate.F tries to access them. It does this by entering the following commonly-used passwords:
  Users: guest, Administrator and Passwords: Zxcv, yxcv, xxx, xp, win, test123, test, temp123, temp, sybase, super, sex, secret, pwd, pw123, pw, pc, Password, owner, oracle, mypc123, mypc, mypass123, mypass, love, login, Login, Internet, home, godblessyou, god, enable, database, computer, alpha, admin123, Admin, abcd, aaa, a, 88888888, 2600, 2003, 2002, 123asd, 123abc, 123456789, 1234567, 123123, 121212, 12, 11111111, 110, 007, 00000000, 000000, 0, pass, 54321, 12345, password, passwd, server, sql, !@#$%^&*, !@#$%^&, !@#$%^, !@#$%, asdfgh, asdf, !@#$, 1234, 111, 1, root, abc123, 12345678, abcdefg, abcdef, abc, 888888, 666666, 111111, admin, administrator, guest, 654321, 123456, 321 and 123.

• If it is validated, the virus tries to access the Windows system directory, where it creates a file called STG.EXE, which is copy of virus.
• Then, Lovgate.F activates and passes itself off as the Microsoft NetWork Service FireWall program and infects the other network computer.

Propagation via e-mail

Lovgate.F sends out a large number of e-mail messages contining infected attachments. It sends these out through MAPI, using its own mail server SMTP.163.COM instead the infected user's server.

In order to avoid raising suspicion, it sends out the e-mail messages little by little. While it sends out the messages it creates a file called CH0015.TMP in the temporary directory.

Lovgate.F sends the following messages:

It obtains the messages in the Inbox and notes the address and domain of each message. Then, little by little, it replies to each one with the following message:

• Subject:
  'Domain name' Mail auto-reply:
• Message:
  <Infected user's name>
  <Body of sent mail>
  <Domain name> auto-reply:
  If you can keep your head when all about you
  Are losing theirs and blaming it on you;
  If you can trust yourself when all men doubt you ,
  But make allowance for their doubting too;
  If you can wait and not be tired by waiting,
  Or, being lied about,don't deal in lies,
  Or, being hated, don't give way to hating,
  And yet don't look too good, nor talk too wise;
  ... ... more  look to the attachment
  Get your FREE 'Domain name' now! <

The default domain name is sometimes YAHOO.COM.

• Attachments: One of the following:
  

  THE HARDCORE GAME-.PIF, SEX IN OFFICE.RM.SCR, DEUTSCH BLOODPATCH!.EXE, S3MSONG.MP3.PIF, ME_NUDE.AVI.PIF, HOW TO CRACK ALL GAMEZ.EXE, MACROMEDIA FLASH.SCR, SETUP.EXE, SHAKIRA.ZIP.EXE, DREAMWEAVERMX (CRACK).EXE, STARWARS2 - CLONEATTACK.RM.SCR, INDUSTRY GIANT II.EXE, DSL MODEM NCAPPER.RAR.EXE, JOKE.PIF, BRITNEY SPEARS NUDE.EXE.TXT.EXE or I AM FOR U.DOC.EXE.

• Lovgate.F looks for files with an extension that starts with HT in the directory in which the worm has been run, the Windows directory and the list of directories in the following entry in the Windows Registry:
  HKEY_CURRENT_USER\ Software\Microsoft\ Windows\ CurrentVersion\ Explorer\ Shell Folders\ Personal
  Then, it looks for e-mail address in the files that it finds. Finally, it sends an e-mail message containing an infected file to the addresses it finds.
  

In order to see the characteristics of the ten e-mail messages that Lovgate.F sends out, click here.

Lovgate.F is written in the programming language C++. The file that carries out the infection is 107,008 bytes in size and compressed with Aspack.