[Snort-users] Fun Love Virus.

Vjay LaRosa vjayl at ...3331...
Fri Mar 15 07:54:03 EST 2002


Hello,

Has any one had any experience with the Fun Love Virus? One of our AV
guy's put in a request to disable a port for a specific IP. He confirmed
for us us that it was infected with the Fun Love virus. So I poked
around in the Snort alerts and found that this particular IP had
triggered the alert "NETBIOS NT NULL session" hundreds of times. This
was the packet.

00 00 00 BC FF 53 4D 42 73 00 00 00 00 18 07 C8   .....SMBs.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE   ................
00 00 40 00 0D 75 00 8A 00 04 11 32 00 00 00 00   .. at ...5321...
00 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 4D   ...............M
00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00   ......W.i.n.d.o.
77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00   w.s. .2.0.0.2. .
32 00 36 00 30 00 30 00 00 00 57 00 69 00 6E 00   2.6.0.0...W.i.n.
64 00 6F 00 77 00 73 00 20 00 32 00 30 00 30 00   d.o.w.s. .2.0.0.
32 00 20 00 35 00 2E 00 31 00 00 00 00 00 04 FF   2. .5...1.......
00 BC 00 08 00 01 00 27 00 00 5C 00 5C 00 49 00   .......'..\.\.I.
4D 00 50 00 53 00 30 00 30 00 31 00 35 00 5C 00   M.P.S.0.0.1.5.\.
49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F 3F 00   I.P.C.$...?????.

So I picked a few more NULL session alerts to look at and found the last
line of the packet
was different.

50 00 43 00 24 00 00 00 49 50 43 00             I. P.C.$...IPC <---- IPC
instead of ?????.

So I figured lets put a signature in just looking for the tail end of
this packet with 5 ?'s and assume that it is the Fun Love virus. Well
this sig is now catching tons of packets. So I am trying to dig up any
information I can on this subject. If any one is familiar with the NT
Null session packet and could explain the difference between these two
packets that would help me also. Thanks everyone!

vjl





--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com







More information about the Snort-users mailing list