Snort mailing list archives
Fun Love Virus.
From: Vjay LaRosa <vjayl () emc com>
Date: Fri, 15 Mar 2002 10:52:52 -0500
Hello, Has any one had any experience with the Fun Love Virus? One of our AV guy's put in a request to disable a port for a specific IP. He confirmed for us us that it was infected with the Fun Love virus. So I poked around in the Snort alerts and found that this particular IP had triggered the alert "NETBIOS NT NULL session" hundreds of times. This was the packet. 00 00 00 BC FF 53 4D 42 73 00 00 00 00 18 07 C8 .....SMBs....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................ 00 00 40 00 0D 75 00 8A 00 04 11 32 00 00 00 00 ..@.u.....2.... 00 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 4D ...............M 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o. 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 w.s. .2.0.0.2. . 32 00 36 00 30 00 30 00 00 00 57 00 69 00 6E 00 2.6.0.0...W.i.n. 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 30 00 d.o.w.s. .2.0.0. 32 00 20 00 35 00 2E 00 31 00 00 00 00 00 04 FF 2. .5...1....... 00 BC 00 08 00 01 00 27 00 00 5C 00 5C 00 49 00 .......'..\.\.I. 4D 00 50 00 53 00 30 00 30 00 31 00 35 00 5C 00 M.P.S.0.0.1.5.\. 49 00 50 00 43 00 24 00 00 00 3F 3F 3F 3F 3F 00 I.P.C.$...?????. So I picked a few more NULL session alerts to look at and found the last line of the packet was different. 50 00 43 00 24 00 00 00 49 50 43 00 I. P.C.$...IPC <---- IPC instead of ?????. So I figured lets put a signature in just looking for the tail end of this packet with 5 ?'s and assume that it is the Fun Love virus. Well this sig is now catching tons of packets. So I am trying to dig up any information I can on this subject. If any one is familiar with the NT Null session packet and could explain the difference between these two packets that would help me also. Thanks everyone! vjl -- V.Jay LaRosa EMC Corporation Systems Administrator 171 South Street (508)435-1000 ext 14957 Hopkinton, MA 01748 (508)497-8082 fax www.emc.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fun Love Virus. Vjay LaRosa (Mar 15)