WORM: Dabber Sasser Probe
This signature detects attempts by the Dabber worm to locate a computer already infected by the Sasser worm, which has known buffer overflow vulnerabilities. The Dabber worm infects targets already infected by the Sasser worm; this signature detects Dabber's first stage infection process.
Extended Description
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Affected Products
Avaya s8100_media_servers,Microsoft windows_xp_64-bit_edition_version_2003
Short Name
WORM:DABBER:SASSER-PROBE
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
CVE-2003-0533 Dabber Probe Sasser bid:10108
Release Date
05/19/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/5554
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
7.5