WORM: NACHI.D WebDAV Infection Attempt

This signature detects WebDAV overflows, which can indicate an infection attempt by the Nachi worm (D variant). Nachi.D, a worm, typically attempts to infect the target host by exploiting several vulnerabilities.

Extended Description

It has been reported that the Microsoft Windows Locator service is affected by a remotely exploitable buffer overflow vulnerability. The condition is due to a memory copy of RPC arguments received from remote clients into a local buffer. This vulnerability may be exploited by remote attackers to execute custom instructions on the target server. It is also possible to crash the service with a malicious request. It should be noted that, to exploit this vulnerability, no authentication is required. Additionally, the Locator service is enabled by default on all Windows 2000 and Windows NT Domain Controllers (DC).

Affected Products

Microsoft windows_nt_terminal_server

References

BugTraq: 6666

CVE: CVE-2003-0003

URL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.D http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=38383 http://www.sophos.com/virusinfo/analyses/w32nachid.html

Short Name

WORM:NACHI:D-WEBDAV-ATK

Severity

Major

Recommended

False

Recommended Action

Drop

WORM: NACHI.D WebDAV Infection Attempt

Extended Description

Affected Products

References

Found a potential security threat?