Lovgate worm thrives on a full inbox

A new variant of the Lovgate.C worm is on the loose and is punishing those of us who leave their inboxes stuffed with old email.

The worm doesn't take the usual route of mining your address book for email addresses to propagate itself.

Instead it replies to all the email addresses in your inbox as well as any incoming emails. It also checks for email addresses stored within web page caches that may be on your hard drive.

While it does not destroy data it does leave a Trojan that allows remote access to your computer via port 10168 and sends a message to either 54love@fescomail.net or hacker117@163.com.

Infected emails come with a variety of headers and one of the following attachments:

• billgt.exe
• card.exe
• docs.exe
• fun.exe
• hamster.exe
• humor.exe
• images.exe
• joke.exe
• midsong.exe
• news_doc.exe
• pics.exe
• PsPGame.exe
• s3msong.exe
• searchURL.exe
• setup.exe
• tamagotxi.exe

"It's a nice, if that's the right word, change as it takes it from the inbox rather than the address book," said Jack Clark, antivirus specialist at Network Associates.

"This makes it slower to spread but the recipients more likely to open it."

So far reports of actual infections are low. While it has been detected around the world it is nowhere near as common as Klez and Bugbear, which remain the two most common viruses despite the availability of removal utilities from all the major antivirus vendors.

"We've seen something of an increase in infections in the last day," said Graham Cluley, antivirus analyst at Sophos.

"It might creep into the top 10 but we've only had a handful of reports, although the website information page is registering a massive number of hits."

All major antivirus vendors now have patches available and users are urged to update their software to be secure.