[Snort-sigs] Re: capture the funlove virus

[Vjay LaRosa]

FYI,

here are four signatures that I had created with another person for the 
funlove virus to use with snort. I haven't had time to document them or 
to put the PCAP's together for each string yet. They have been extremely 
successful for us. Thanks!

vjl

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love 
flcss.exe"; flags: A+; content: "|66 6c 63 73 73 2e 65 78 65|"; 
classtype:string-detect; rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love 
NTLDR"; flags: A+; content: "|4e 54 4c 44 52|"; classtype:string-detect; 
rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love 
ntoskrnl.exe"; flags: A+; content: "|57 49 4e 4e 54 5c 53 79 73 74 65 6d 
33 32 5c 6e 74 6f 73 6b 72 6e 6c 2e 65 78 65|"; classtype:string-detect; 
rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Loving 
Criminal";  flags: A+; content: "|46 75 6e 20 4c 6f 76 69 6e 67 20 43 72 
69 6d 69 6e 61 6c|"; classtype:string-detect; rev:1;)




Nick FitzGerald wrote:


> "Dale, Kyra" <kyra.dale at ...497...> wrote:
> 
> 
>>>Has anyone created a computer (trap) that would be able to determine the
>>>source of the funlove virus on a network?  If so, can you provide details.
>>>
> 
> I recall seeing a free download at Symantec's site that claimed to do 
> this.  It's bound to be linked off their FunLove description page.
> 
> Alternatively, setting up an NT/W2K/XP "honeypot" with an open share 
> on the root of the Windows install drive and with full file system 
> auditing enabled should allow you to track where FunLove's write 
> attempts come from (you should, of course, monitor this machine very 
> closely!).
> 
> 
> 


-- 
  V.Jay LaRosa				EMC Corporation
  Systems Administrator			171 South Street
  (508)435-1000 ext 14957		Hopkinton, MA 01748
  (508)497-8082 fax			www.emc.com