[Dshield] LoveSan worm - I need a copy of it.

Johannes B. Ullrich jullrich at sans.org
Wed Aug 13 20:29:09 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> Do you know where I can find a copy of the LoveSan virus (worm) in binary.?    
> I've been asked to analyse it,  so I can write a snort rule for it.

I will send you a copy off list.

> 
> does it use UDP or TCPIP....  and where can I find info on it,  or results of
> earlier analysis of it.

tcp to spread ( tcp 135, 4444 for the shell), udp to upload the worm
(tftp)

The RPC DCOM snort rules work fine for it.


> 
> I'm also looing for a good intel dis-assembler,  one written in C and can run on UNIX machines or Mac OS-9, or OS-10.
> 
> I hear they exist,  but initial web searches haven't come up with anything yet.
> Figured I would ask here first,  before spending a long time on a fruitless search.
> 
> if someone already wrote a snort rule for it,  I would really like to get it installed in our IDS system as soon as possible for some of our customers.
> 
> I've already checked the Snort web site,  nothing was there,  unless they added it to their library and didn't mention it.
> 
> John
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/Op+UR1p7hYJvB/wRAlCcAKCfJZ0cw3NC7wCJIBC4m78ZsCjzfQCaAtqy
636K7wEbIChHCvSPO031hH0-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list