MS-RPC: LAN Worm Spread Attempt
This signature detects attempts to spread a worm over a Windows network by copying itself to the system path and scheduling a rundll32 job that executes the binary at a later date. The "Conficker" worm uses this mechanism to spread over LANs.
Extended Description
Microsoft Windows is prone to a remote code-execution vulnerability that affects RPC (Remote Procedure Call) handling in the Server service. An attacker could exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of vulnerable computers. This issue may be prone to widespread automated exploits. Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Affected Products
Avaya messaging_application_server,Microsoft windows_server_2008_for_itanium-based_systems
Short Name
MS-RPC:LAN-WORM-SPREAD
Severity
Major
Recommended
False
Recommended Action
Drop
Category
MS-RPC
Keywords
Attempt LAN Spread Worm bid:31874
Release Date
02/09/2009
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
False Positive
Unknown
Vendors
Nortel_networks
Microsoft
Avaya