Virus Advisory: Network Associates Avert Places Lovsan Threat as Medium On Watch

Network Associates Intrusion Prevention Solutions Block Threats Without An Update

BEAVERTON, Ore., Aug. 11 /PRNewswire-FirstCall/ — Network Associates, Inc. (NYSE: NET) the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates, assigned a medium on watch risk assessment to the newly discovered Lovsan threat, also known as Win32/Lovesan.worm. Lovsan is an Internet worm that exploits the MS03-026 vulnerability and is spreading quickly to thousands of machines around the globe, according to initial reports from Network Associates customers.


Because the worm spreads quietly, and does not arrive as an e-mail attachment, users may not immediately realize that they have been infected. Some users have reported excessive use of broadband home Internet connections as a symptom.


By exploiting a vulnerability in Windows XP, NT and 2000, the worm is able to execute without requiring any action on part of the user. When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 444, and then pass a TFTP command to download the worm to the %WinDir%system32 directory and executes it.


Immediate information and cures for this virus can be found online at the Network Associates AVERT site located at . This threat was proactively detected as a variant of Exploit-DCOM RPC with the 4283 DAT files and 4.1.60 or later scan engine. Many users of McAfee Security anti-virus solutions were protected before the threat began to spread. AVERT recommends that users of McAfee Security anti-virus solutions update their systems from and use the 4283 DATS and 4.1.60 or later scanning engine to detect, remove and identify the threat as W32/Lovsan.worm.

McAfee Entercept also stopped Lovsan before it was a known threat. The McAfee Entercept solution provides patented protection against code execution as a result of buffer overflows, such as the one exploited by Lovsan. The McAfee Entercept solution will prevent attack code from being executed from writable memory as a result of a buffer overrun, protecting the integrity of the server. This protection functions whether or not the server has the latest security patch installed. The McAfee Entercept solution and its patented technology safeguards servers against buffer overflows, without any signature or code updates.

McAfee IntruShield users with signature set or later will receive alerts on attempts to exploit the vulnerability. IntruShield sensors deployed in in-line mode can be configured to drop the attack packets before they even reach the targeted host, preventing the spread of the worm, even to unpatched systems.

To contain and stop the spread of the threat, users of Sniffer Distributed or Sniffer Portable can use two filters that enable customers to detect if attempts are being made to exploit the vulnerability. Additionally, customers can use Sniffer Distributed and InfiniStream Security Forensics to monitor the network, from the edge to the core, to detect events that may trigger these vulnerabilities.

Network Associates McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry’s only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.

AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee(R) System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. These two product portfolios incorporate Network Associates’ leading McAfee, Sniffer(R) and Magic Solutions(R) product lines. For more information, Network Associates can be reached at 972-963-8000 or on the Internet at .

NOTE: Network Associates, AVERT, McAfee, Sniffer and Magic Solutions are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Don't miss