GEN:SID 1:2589
Message WEB-CLIENT Content-Disposition CLSID command attempt
Summary This event is generated when an attempt is made to return to
a web client a file in the Content-Disposition Header with a
Class ID (CLSID) embedded in the file name.
Impact A successful attack may trick a client on a vulnerable host to download
a malicious file that will be executed by the Windows Shell.
Detailed Information Internet Explorer does not correctly handle or display specially
crafted files in the browser dialogue where the user choses the
action (e.g., open, save, cancel) for a downloaded file.
Specifically, these are overly long file names that employ URL
encoding of "." %2E before the file extension and contain the
Class ID (CLSID) associated with the Windows Shell in the file name.

This serves two purposes; the first is that the file name will
be truncated in the user dialog so the user doesn't see the
CLSID reference, making it appear to be a more innocuous file
with a known extension such as mpg or pdf.  Second, the downloaded
file will actually contain malcious commands that will be
executed by the Windows Shell when opened because of the hidden
CLSID in the file name.

Currently, the only known CLSID that exploits this vulnerability
is associated with the Windows Shell.  Yet, it may be possible
for another CLSID to be discovered in the future that would be
associated with a COM component that could be used for malicious
purposes.
Affected Systems Windows NT Workstation/Server 4.0 SP6a
    Windows NT Workstation/Server 4.0 SP6a with Active Desktop
    Windows NT Server 4.0 Terminal Server Edition SP6
    Windows 2000 SP2-SP4
    Windows XP and XP SP1
    Windows XP 64-Bit Edition SP1
    Windows XP 64-Bit Edition Version 2003
    Windows Server 2003
    Windows Server 2003 64-Bit Edition
Attack Scenarios An attacker can entice a user to visit a web server that
will return a malicious file with a file name that contains
a CLSID, perhaps enabling the execution of the malicious
code when the file is opened.
Ease of Attack Simple. Exploit code is publicly available.
Corrective Action Upgrade to the latest non-affected version of the software.
Additional References  
Rule References bugtraq: 9510
cve: 2004-0420
url: www.microsoft.com/technet/security/bulletin/ms04-024.mspx