GEN:SID | 1:1289 |
Message | TFTP GET Admin.dll |
Summary | This event is generated when an exploited Internet Information Server (IIS) host attempts to perform a tftp download of the file admin.dll to infect the host with the nimda worm.
|
Impact | Administrator access. A successful attack can allow remote execution of commands with administrator privleges.
|
Detailed Information | The nimda worm uses multiple propagation methods. One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to execute commands on the target server. An attempt is made to execute a tftp download of the file admin.dll from the infected attacking host to the victim server. The admin.dll file is a copy of the nimda worm that is activated on the newly infected victim server. This event is triggered if the IIS server is exploitable and the tftp transfer is attempted.
|
Affected Systems | Hosts running Microsoft IIS 4.0 and 5.0.
|
Attack Scenarios | The worm will attempt to remotely exploit a unicode directory vulnerability to infect an IIS server by executing a tftp download of the nimda worm.
|
Ease of Attack | Simple.
|
Corrective Action | Apply the appropriate patch referenced in Microsoft Security Bulletin MS00-078.
|
Additional References | CERT: http://www.cert.org/advisories/CA-2001-26.html
Microsoft: http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp
|
Rule References | url: www.cert.org/advisories/CA-2001-26.html
|