Catching the Lovsan Worm in Action
by Laura Chappell
[Released August 11, 2003]
[Available in PDF format also]

Note: Check out a live infection online! Download lovsan-infection.zip (available in .cap/.dmp/.pkt formats)

You could hear the CPU screaming under the hood of my IBM Thinkpad. Suddenly, cruising the Internet was like wading through mud… at times it took up to 3 minutes to open up a simple Explorer window. Obviously, something was wrong…

Task manager indicated that services.exe process was taking up 99% of the processor time. Ugh – this appeared to be a virus. The services.exe has shown numerous problems with high utilization in the past, but this system was already patched (see MS doc Q328885).

I called my pal, Wally Rich at Network Associates to see if he had any clue what could be causing the strange behavior. He got right back to me with an upgraded alert on the Lovsan worm – he’d just received an internal alert from the McAfee guys – looks like my system matched the symptoms listed.

Downloading Stinger from www.mcafee.com (which had just been updated to wipe out Lovesan) fixed the problem quickly.

Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.

Other Articles:
• Catching the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers... [PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting [PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]