SHELLCODE: X86 Microsoft Win32 Export Table Enumeration Variant Detection Over TCP-CTS
This signature detects payloads being transferred over network that have been using x86 Microsoft Win32 export table enumeration variant. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.
Extended Description
The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
Affected Products
Microsoft windows_2000
Short Name
SHELLCODE:X86:WIN32-ENUM-CTS
Severity
Critical
Recommended
True
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2004-0206 CVE-2004-1080 Detection Enumeration Export Microsoft Over TCP-CTS Table Variant Win32 X86 bid:11372 bid:11763
Release Date
08/17/2015
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
Port
TCP/0-79,81-442,444-3127,3129-7999,8001-8079,8081-65535
False Positive
Unknown
Vendors
Microsoft