Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040428.html (Request Expert snort.org Support)

[Snort-sigs] Lovgate.F port 445 rule

From: <Tom.Mclaughlin(at)kp.org>
Date: Mon Apr 28 2003 - 15:17:18 EDT

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"VIRUS Lovgate Fileshare 445"; dsize > 500; content:"|40 00 00 C0 2E 61 73 70 61 63 6B 00|"; rev:1;)  

--

Sid:

--

Summary:
When Lovgate worm is active it copies itself to network shares when using port 445 for netbios-ss.
--

Impact:

--

Detailed Information:
I took 6 samples of Lovgate.F and opened them up with a hex editor looking for similar code.
Once I had found some hex that I could identify Lovgate with I based my rule on that. The code
I found was at the beginning of the excecutable where the aspack signature is.
I've tried copying the virus across the network maybe 10-15 times and the rule catches it whe netbios
uses port 445. I've noticed that sometimes netbios copies over port 139 so I needed another rule to scan
that port.

The sid is removed from the above rule since I am using a sid > 1,000,000.
--

Attack Scenarios:

--

Ease of Attack:

--

False Positives:
I realize that some other programs will be using aspack to pack their programs. This may or may not be a problem with this rule.
--

False Negatives:

Do you need help?X

--

Corrective Action:

--

Contributors:
Tom McLaughlin
tom.mclaughlin@kp.org
--

Additional References:
http://www.f-secure.com/v-descs/lovgate.shtml


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Apr 29 09:11:23 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library