A new variant of the Lovgate worm has been discovered infecting PCs globally, according to security bulletins by major security firms including Symantec Corp. and McAfee Inc.
First discovered in February 2003, the Lovgate worm spreads by e-mailing itself to addresses found on infected PCs. Once inside a machine, the worm opens a “back door” to allow an attacker inside. In addition, Lovgate scans PCs for executables and replaces them with further copies of itself.
Considered a “medium risk” by both Symantec and McAfee, the new Lovgate variants — Lovgate.AE and Lovgate.AH — target Microsoft Corp.’s Windows applications and will disable antivirus software and security applications on an infected system. Fixes can be found at www.symantec.com as well as www.mcafee.com.
“What this worm does…is it responds automatically to e-mail sent and attaches itself in the reply,” explained Jeffrey Posluns, chief innovation officer at Toronto-based IT security provider WhiteHat Inc. “It is a much more likely mechanism to have the recipient of the e-mail open the attachment. The inherent paranoia usually related to attachments is diminished because it is a reply to an e-mail sent.”
Despite being dormant for nearly a year, Posluns said it isn’t surprising to see viruses like Lovgate rear their ugly heads again. In fact, he said there are several ways and incentives for virus writers to re-infect systems with the same viruses. In the case of Lovgate, the source code is already written.
“That is the hard part,” he said. “Virus writers can make modifications but the code is already done so they save on time.”
He also noted that while no firm or user should be without antivirus software, it’s not the be all and end all of a secure system. Posluns likened the newest strain of Lovgate to the Hepatitis disease and vaccine: a “shot” for Hepatitis A won’t protect against Hepatitis B or C.
“Most virus writers will modify the virus just enough so that antivirus definitions will not be able to pick them up,” he said.
As a rule of thumb, Posluns said e-mail administrators should configure systems to delete executables as soon as they pass through the e-mail server. WhiteHat, for example, has developed Insight Antispam and Antivirus, an offering that does just that.
Insight works in tandem with antivirus definitions like Symantec’s Norton and McAfee to decrease the amount of real threats that make it through to the employee desktop. During trials in the month of June, Posluns said that out of 101 million e-mails received, the Insight product was able to determine and delete 70 million messages as spam and 21 million as harbouring viruses. He said that while no viruses made it through to end users, 32 were picked up by antivirus definition software.