[Dshield] LoveSan worm - I need a copy of it.

Johannes B. Ullrich jullrich at sans.org
Wed Aug 13 20:29:09 GMT 2003

This message was converted from multipart/signed to ascii armored
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> Do you know where I can find a copy of the LoveSan virus (worm) in binary.?    
> I've been asked to analyse it,  so I can write a snort rule for it.

I will send you a copy off list.

> does it use UDP or TCPIP....  and where can I find info on it,  or results of
> earlier analysis of it.

tcp to spread ( tcp 135, 4444 for the shell), udp to upload the worm

The RPC DCOM snort rules work fine for it.

> I'm also looing for a good intel dis-assembler,  one written in C and can run on UNIX machines or Mac OS-9, or OS-10.
> I hear they exist,  but initial web searches haven't come up with anything yet.
> Figured I would ask here first,  before spending a long time on a fruitless search.
> if someone already wrote a snort rule for it,  I would really like to get it installed in our IDS system as soon as possible for some of our customers.
> I've already checked the Snort web site,  nothing was there,  unless they added it to their library and didn't mention it.
> John
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

Version: GnuPG v1.2.1 (GNU/Linux)

636K7wEbIChHCvSPO031hH0-----END PGP SIGNATURE-----


More information about the list mailing list