[Snort-sigs] Lovgate.F rule

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Tue Apr 29 05:28:09 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: 
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"VIRUS Lovgate Fileshare 
139"; dsize > 500; content:"|40 00 00 C0 2E 61 73 70 61 63 6B 00|"; 
rev:1;)
 
--
Sid:

--
Summary:
When Lovgate worm is active it copies itself to network shares when using 
port 139 for netbios-ss.
--
Impact:

--
Detailed Information:
I took 6 samples of Lovgate.F and opened them up with a hex editor looking 
for similar code.
Once I had found some hex that I could identify Lovgate with I based my 
rule on that. The code
I found was at the beginning of the excecutable where the aspack signature 
is.
I've tried copying the virus across the network maybe 10-15 times and the 
rule catches it whe netbios
uses port 139. I've noticed that sometimes netbios copies over port 445 so 
I needed another rule to scan
that port.
In the above rule I removed the sid since I am using >1,000,000 for this 
rule
--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I realize that some other programs will be using aspack to pack their 
programs. This may or may not be a problem
with this rule.
--
False Negatives:

--
Corrective Action:

--
Contributors:
Tom McLaughlin
tom.mclaughlin at ...1486...
-- 
Additional References:
http://www.f-secure.com/v-descs/lovgate.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030429/7ee6f101/attachment.html>


More information about the Snort-sigs mailing list