WORM: Agobot Sasser FTP Overflow
This signature detects the Agobot worm attempting to access a system already infected by the Sasser worm. If this signature is detected in your network traffic, the target computer is most likely infected with the Sasser worm.
Extended Description
It has been reported that the Microsoft Windows Locator service is affected by a remotely exploitable buffer overflow vulnerability. The condition is due to a memory copy of RPC arguments received from remote clients into a local buffer. This vulnerability may be exploited by remote attackers to execute custom instructions on the target server. It is also possible to crash the service with a malicious request. It should be noted that, to exploit this vulnerability, no authentication is required. Additionally, the Locator service is enabled by default on all Windows 2000 and Windows NT Domain Controllers (DC).
Affected Products
Microsoft windows_nt_terminal_server
References
CVE: CVE-2003-0003
Short Name
WORM:AGOBOT:SASSER-FTP-OF
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
Agobot CVE-2003-0003 FTP Overflow Sasser
Release Date
10/06/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/5554
False Positive
Unknown
Vendors
Microsoft
CVSS Score
7.5