WORM: NetSky.V SMTP Propagation
This signature detects the V variant of the NetSky worm. The V variant encodes a malicious HTML script in the body of an e-mail sent to the target host. When the e-mail appears in the preview pane (the e-mail does not need to be opened) Microsoft Outlook and Outlook Express process the encoded script, which downloads the NetSky worm from known Internet sites and installs the worm on the target host.
Extended Description
A remotely exploitable heap corruption vulnerability has been discovered in RPC. This issue exists in the RPCSS Service and occurs due to insufficient sanity checks when handling length values located within DCERPC DCOM object activation packets. As a result, this vulnerability can be exploited by a remote attacker to manipulate the contents of heap memory, potentially allowing for the execution flow of the RPCSS service to be controlled. This would utlitimately allow for the execution of arbitrary code with SYSTEM privileges. eEye released an advisory disclosing details about the issue they reported that was addressed in MS03-039. It is currently not known if this information is associated with CAN-2003-0528. The other buffer overrun reported in MS03-039 and described in BID 8459 may be applicable to CAN-2003-0528. The appropriate updates will be made when further CVE information becomes available.
Affected Products
Microsoft windows_nt_terminal_server
Short Name
WORM:NETSKY:V-SMTP-PROP
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
CVE-2003-0809 NetSky.V Propagation SMTP bid:8458
Release Date
04/21/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Microsoft
CVSS Score
7.5