Old-school worm loves Windows applications

The latest variant of the Lovgate worm scans PCs for executable files and then renames them, a tactic used by viruses from a much older generation, according to antivirus companies.

The Lovgate worm first appeared in February 2003 and has since mutated many times. The most recent versions of the worm--Lovgate.AE and Lovgate.AH--were discovered on Sunday. They spread by e-mailing themselves to addresses found on an infected machine and then open a "back door" to give control of the infected system to an attacker. Finally, the worms scan for vulnerable PCs connected to the infected system's local network--using the same Windows vulnerability exploited by the MSBlast worm almost a year ago.

The most important difference is the worm's destructive nature. Although the latest Lovgate worm does not delete any user data--such as documents or spreadsheets--it replaces executable files (with the .exe extension) on the local hard drive with further copies of itself. This process can leave an infected computer effectively useless because it is unable to run any applications.

Carole Theriault, security consultant at antivirus firm Sophos, said the latest Lovgates are "ancient-style viruses" because they are so destructive.

"Five years ago this was the main way viruses spread--they got in a system and changed everything, leaving the victim with a useless piece of kit that needed to be restored using a back-up," Theriault said.

Finnish antivirus firm F-Secure warned that Lovgate is capable of destroying most of the executable files on an infected computer.

"The virus might do this renaming operation to hundreds of .exe files in one go. The end result is that instead of finding one or two infected files, the user will find masses of them. With Lovgate, this is normal," the company reported on its labs Web log.

Antivirus firm McAfee's Emergency Response Team increased the threat level of the new Lovgate variants to "medium" after discovering more than 100 samples of the worm within the first 24 hours of its discovery.

As ever, users are advised not to open e-mail attachments unless they are absolutely sure they are safe and to ensure Windows and other applications are kept up to date with the latest patches.

Munir Kotadia of ZDNet UK reported from London.

[M. T. MacPhee]

As usual...

...Macintosh unaffected.<br /><br />Mike

[Jonathan]

As usual....

An idiot Mac user who doesn't get that even on a Mac if a user executes a malicious script it still can screw up your system.<br /><br />This virus's primary means of propagation is idiot users who run any thing that is attached to an e-mail. It?s like having sex without a condom. Most people now a days are smart enough. Unfortunately such smarts don't transfer over to the PC world.<br /><br />So PLEASE give the pro Mac BS a rest. OS X has some great qualities. Being invulnerable to scripts that users run isn't one of them.

As usual....

I wonder how much sleep he's going to lose tonight now that he <br />know's something *could* be done to harm his system.<br /><br />The recent thinking is diversity creates a more secure world. The <br />Windows/Internet Explorer/Outlook Express combination has <br />bred an environment that is friendy to malware, be it viruses, <br />spyware, invasive advertising, etc. The recent recommendation <br />by CERT to switch browsers only highlights that fact. Sure, an <br />exploit could be written for Opera, but it probably won't be <br />anytime soon. Mac users have enjoyed relative safety in terms of <br />exploits, and I'll make the prediction that that trend is going to <br />continue for a long time. Being a Mac user is helping to create <br />that diverse world that limits the introduction of malware, just as <br />being a Windows user who browses the net with Mozilla is doing <br />the same.<br /><br />You and I know how to limit our exposure to viruses and the <br />like. We read the news, make changes to our system based on <br />the evidence, don't open that brittneyspearsnude.exe <br />attachment. Of course the "idiot users" you refered to are the <br />majority. Perhaps we should recommend to them that they get a <br />Mac. And if one of them on occasion want to remind us that they <br />don't need a computer engineering degree, or a lick of common <br />sense for that matter, to safely operate their computer then so <br />be it. They'll be around for as long as those who say just <br />because today Windows has 50,000+ viruses and Mac OS X has <br />none doesn't mean it's not possible to make a virus. I predict <br />one day it will be Windows 100,000 and Mac 1, so there!

[Stupendoussteve]

A little different...

This is a bit different from the Windows problem, as on a Mac even the admins do not fully have admin privledges (hence having to type their password to do certain things). On any Linux/UNIX based system most people do not have full access, this is different with Windows (usually) as most Windows users are, by default, administrators.<br /><br />If the user opening the attachment were an underprivledged user, it is far less likely the system would be completely unusable, only that a few of the programs the person used would become unusable.<br /><br />This is also, of course, why UNIX-based users are told to use the root account as little as possible, as running a bad program as root could easily do what Windows viruses do all the time.

[Breezy1601]

Why no better info???

I'm getting tired of having to guess how every virus works in these news reports. If they only affect users of IE or Outlook, then say so damn it!<br /><br />Right now your reports are next to useless because you do not report this info, probably out ofd concern of offending Microsoft.<br /><br />We really ought to know this stuff or your virus/worm reports are useless.

This diversity stuff is BS

Really now, writing that diversity is the key to security is BS, diversity helps, but the most important thing is well audited source code, with security in mind when it is designed. I'm just curious if you know how many exploits there have been in freebsd? one. thats it, and it wasn't very major.<br /><br />And you say that there haven't been any exploits for opera? there have been, and i can readily replicate it for you. probably anyone who knows some basic html could make you think you are at a site that you are in fact, not at.<br /><br />the fact is that windows is flawed from the very conception. they have scripting languages and applets that arent run in a "sandbox" like java is. they thought of this as a limitation, but really not using something to it's effect is like opening pandoras box. and hope would be *nix. there have been a total of 3 exploits for java, to my knowledge. how many have their been for activeX? and mind you java is much more mature than activeX, and in wider use im sure. just think of all that spyware on your computer, and you will see what i mean.<br /><br />and one of you said something about mac not being safe against scripting attacks? there isn't a scripting language for mac like there is for windows, you actually have to execute the file manually. its not like in outlook express or internet explorer where scripts are automatically executed.<br /><br />and for the one exploit they have found for mac OS X, it was in linux as well. just a simple design flaw. what they did was name an executable file with meta information indicating to execute it music.mp3, and gave it an icon so it would like an mp3. there wouldn't be anyway to tell what is was before it was too late, unless you happened to run the file command on it. this would be easy to fix, and of course was fixed for linux, but not for security reasons really, it was for performance. now in gnome, when files are being associated with programs, gnome checks the file extension, and if it doesnt have one it uses the meta data. really easy to fix, and you get more performance as well.

OSX has had more than one exploit.

If you only know of one Mac OS X exploit, you need to do better research. The OS has had quite a few problems that Apple tries to downplay. The only reason you don't hear about them in the news as much is because Apple has such a small market share, and hacking Windows is viewed as a "cooler" thing to do.

Mac OS X has only had one exploit?

<a class="jive-link-external" href="http://www.jayallen.org/journey/2004/05/mac_os_x_highly_critical_security_flaw" target="_newWindow">http://www.jayallen.org/journey/2004/05/mac_os_x_highly_critical_security_flaw</a>

[Stupendoussteve]

Uh hmm

"there isn't a scripting language for mac like there is for windows, you actually have to execute the file manually"<br /><br />Perl anyone? Shell scripts? Put 'em in cron and away you go.<br /><br />Only problem is, most users don't have admin, unlike Windows.