New Worm Spreads By Replying To All Mail

The Lovegate worm spreads by replying to unread E-mail in a user's in-box, as well as by mass-mailing itself to addresses it highjacks on infected machines.

InformationWeek Staff, Contributor

May 19, 2004

3 Min Read

A worm making the rounds on the Internet not only mass-mails itself to addresses it hijacks on infected machines, but spreads by replying to unread E-mail messages in the user's in-box, security experts said Wednesday.

The Lovegate worm, which was first discovered last week and reappeared in repackaged, copycat form Tuesday, uses an auto-responding technique as well as the traditional address book theft to propagate, said Alfred Huger, VP of engineering at Symantec Corp.'s virus watch group.

"The two together are pretty vicious. This is really clever," said Huger, who called it another example of how hackers come up with ingenious ways to spread malicious code.

The latest version of the worm, dubbed Lovegate.w by Symantec and Lovegate.ab by rival security firm Network Associates, can sniff for unread messages in MAPI-compliant E-mail programs, such as Outlook and Outlook Express, then send itself as a reply to any in-bound message.

Auto-responders within worms aren't new, said Jimmy Kuo, a research fellow at McAfee--the virulent Klez worm of 2001 used the technique-- but the combination of mass mailing and auto-responding means that Lovegate may spread fast and be tougher to spot.

"By responding to real mail, the worm doesn't have to come up with its own Subject line," said Kuo. "That makes it harder for users to identify."

Worms equipped with auto-responders, added Kuo, tend to have a longer life span. Klez, for example, topped the virus charts for nearly a year.

Lovegate also uses multiple attack vectors, able to spread not only through E-mail, but also through network shares. The worm also uses other standard malware tactics, including disabling anti-virus software it finds on the targeted system and hiding within Zip archive files.

Currently, Network Associates ranks Lovegate as a Medium threat, while Symantec lists it as a 2 in its 1-5 scale.

In other security news, the high level of activity on TCP port 5000 which Symantec reported on Monday seems to have stabilized, but only after additional culprits were spotted.

Besides the Kibuv.b worm, originally thought to be the sole reason behind the spike in port 5000 traffic, security firms--including Symantec and Sophos--have named the Bobax worm as an accomplice.

Bobax, which exploits the same Windows security flaw as the much more prolific Sasser worm, scans for vulnerable Windows XP systems using TCP port 5000. Its purpose seems to be to turn infected machines into spam generators and launch pads for denial-of-service, according to analysis done by Sophos.

"If users don't take the appropriate action, they shouldn't be surprised if their computers turn into zombies, launching thousands of spam messages at other Internet users," Chris Kraft, a Sophos senior security analyst, said in a statement.

The Symantec DeepSight network's honeypots, meanwhile, snagged an example of exploit code that also scans port 5000. While the code is similar to that in the Kibuv worm, it's actually a hacker's attempt to harvest additional machines for later use in spamming and denial-of-service attacks, said Symantec's Huger. Like Kibuv, the bot exploits a 2001 vulnerability in Windows Universal Plug and Play service.

"The people running these bot networks are casting back in time," said Huger, "looking for vulnerable machines. There has to be a reason why they're lurching around for this [old] vulnerability. It's because there's fierce competition between bot network owners for systems."

As more recent vulnerabilities are patched, hackers are retracing old ground--long-fixed vulnerabilities--in the hope that they'll find unprotected PCs.

"Some of these bots are very advanced," Huger said. "They can break into a machine and articulate everything from bandwidth and disk space to memory and the processor. They can even figure out how many hops the system is from the Internet backbone."

With that information, Huger said, the attacker can pinpoint the machines with the most drive space to store their pirated software collections and the fattest and most efficient pipelines to the Internet for their denial-of-service attacks.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights