Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040427.html (Request Expert snort.org Support)

[Snort-sigs] Lovgate.F rule

From: <Tom.Mclaughlin(at)kp.org>
Date: Mon Apr 28 2003 - 15:15:05 EDT

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"VIRUS Lovgate Fileshare 139"; dsize > 500; content:"|40 00 00 C0 2E 61 73 70 61 63 6B 00|"; rev:1;)  

--

Sid:

--

Summary:
When Lovgate worm is active it copies itself to network shares when using port 139 for netbios-ss.
--

Impact:

--

Detailed Information:
I took 6 samples of Lovgate.F and opened them up with a hex editor looking for similar code.
Once I had found some hex that I could identify Lovgate with I based my rule on that. The code
I found was at the beginning of the excecutable where the aspack signature is.
I've tried copying the virus across the network maybe 10-15 times and the rule catches it whe netbios
uses port 139. I've noticed that sometimes netbios copies over port 445 so I needed another rule to scan
that port.
In the above rule I removed the sid since I am using >1,000,000 for this rule
--

Attack Scenarios:

--

Ease of Attack:

--

False Positives:
I realize that some other programs will be using aspack to pack their programs. This may or may not be a problem with this rule.
--

False Negatives:

--

Corrective Action:

Do you need help?X

--

Contributors:
Tom McLaughlin
tom.mclaughlin@kp.org
--

Additional References:
http://www.f-secure.com/v-descs/lovgate.shtml


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 29 09:09:18 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library