[Dshield] LoveSan worm - I need a copy of it.
Johannes B. Ullrich
jullrich at sans.org
Wed Aug 13 20:29:09 GMT 2003
This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
> Do you know where I can find a copy of the LoveSan virus (worm) in binary.?
> I've been asked to analyse it, so I can write a snort rule for it.
I will send you a copy off list.
> does it use UDP or TCPIP.... and where can I find info on it, or results of
> earlier analysis of it.
tcp to spread ( tcp 135, 4444 for the shell), udp to upload the worm
The RPC DCOM snort rules work fine for it.
> I'm also looing for a good intel dis-assembler, one written in C and can run on UNIX machines or Mac OS-9, or OS-10.
> I hear they exist, but initial web searches haven't come up with anything yet.
> Figured I would ask here first, before spending a long time on a fruitless search.
> if someone already wrote a snort rule for it, I would really like to get it installed in our IDS system as soon as possible for some of our customers.
> I've already checked the Snort web site, nothing was there, unless they added it to their library and didn't mention it.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
636K7wEbIChHCvSPO031hH0-----END PGP SIGNATURE-----
More information about the list