WORM: MS-Blast Backdoor Command
This signature detects the backdoor command that instructs the MS-Blast (aka "Blaster") worm to download the worm's second stage component. Attackers use this backdoor command to complete infection of a target host; if this signature is detected in your network traffic, the target computer is most likely infected with the Blaster worm.
Extended Description
A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system. This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80. ** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.
Affected Products
Cisco sn_5420_storage_router,Cisco call_manager
Short Name
WORM:BLASTER:BACKDOOR-CMD
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
Backdoor CVE-2003-0352 Command MS-Blast bid:8205
Release Date
10/06/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/4444
False Positive
Unknown
Vendors
Cisco
Microsoft
Compaq
CVSS Score
7.5