WORM: NACHI.B\C\D Locator Infection Attempt

This signature detects infection attempts of the Windows RPC Locator Service by the B, C or D variants of the Nachi worm. This signature only triggers on a successful connect to an accessible victim. Follow up is strongly suggested.

Extended Description

It has been reported that the Microsoft Windows Locator service is affected by a remotely exploitable buffer overflow vulnerability. The condition is due to a memory copy of RPC arguments received from remote clients into a local buffer. This vulnerability may be exploited by remote attackers to execute custom instructions on the target server. It is also possible to crash the service with a malicious request. It should be noted that, to exploit this vulnerability, no authentication is required. Additionally, the Locator service is enabled by default on all Windows 2000 and Windows NT Domain Controllers (DC).

Affected Products

Microsoft windows_nt_terminal_server

References

BugTraq: 6666

CVE: CVE-2003-0003

URL: http://vil.nai.com/vil/content/v_101013.htm http://secunia.com/virus_information/566/nachi.b/ http://www.sophos.com/virusinfo/analyses/w32nachib.html

Short Name

WORM:NACHI:B-C-D-INFECT-ATTEMPT

Severity

Critical

Recommended

False

Recommended Action

Drop

WORM: NACHI.B\C\D Locator Infection Attempt

Extended Description

Affected Products

References

Found a potential security threat?