GEN:SID 1:3087
Message WEB-IIS w3who.dll buffer overflow attempt
Summary This event is generated when an attempt is made to exploit a buffer
overflow in Microsoft Browser Client Context Tool (W3Who.dll).
Impact Denial of service or remote access. If the exploit is successful,
an attacker can gain remote access to the host with system privileges.
Detailed Information W3Who is an Internet Server Application Programming Interface (ISAPI)
application dynamic-link library (DLL) that works within a Web page to
display information about the calling context of the client browser and
the configuration of the host server. W3Who is included in the Windows
2000 Server Resource Kit.

A boundary error within the processing of parameters can be exploited
to cause a buffer overflow by passing an overly long parameter.
Affected Systems Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed
with IIS.)
Attack Scenarios An attacker can send a malformed HTTP request with an overly long
parameter to W3Who DLL, subsequently causing a buffer overflow.
Ease of Attack Simple
Corrective Action Disable the W3Who.dll ISAPI extension.
Additional References Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640
Rule References bugtraq: 11820
cve: 2004-1134