Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1289 |
| Message | TFTP GET Admin.dll |
| Summary | This event is generated when an exploited Internet Information Server (IIS) host attempts to perform a tftp download of the file admin.dll to infect the host with the nimda worm. |
| Impact | Administrator access. A successful attack can allow remote execution of commands with administrator privleges. |
| Detailed Information | The nimda worm uses multiple propagation methods. One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to execute commands on the target server. An attempt is made to execute a tftp download of the file admin.dll from the infected attacking host to the victim server. The admin.dll file is a copy of the nimda worm that is activated on the newly infected victim server. This event is triggered if the IIS server is exploitable and the tftp transfer is attempted. |
| Affected Systems | Hosts running Microsoft IIS 4.0 and 5.0. |
| Attack Scenarios | The worm will attempt to remotely exploit a unicode directory vulnerability to infect an IIS server by executing a tftp download of the nimda worm. |
| Ease of Attack | Simple. |
| Corrective Action | Apply the appropriate patch referenced in Microsoft Security Bulletin MS00-078. |
| Additional References | CERT: http://www.cert.org/advisories/CA-2001-26.html Microsoft: http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp |
| Rule References | url: www.cert.org/advisories/CA-2001-26.html |
--
DID:501994
--
http://www.aanval.com/