Manualshelf

TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1061106210631064106510661067106810691070
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1070
Signature ID: 160148
DCE RPC Interface Buffer Overflow Exploit
Threat Level: Information
Signature Description: DCOM/RPC worm is capable to spread over Windows 2000 and Windows XP systems.
According to ISC, the worm uses RPC/DCOM to propagate itself. it sends a self-extracting compressed file that is 6176
bytes in size, and about 11KB when uncompressed to the target system. The captured worm comes in the form of a file
called mblast.exe, which will have an MD5 checksum of 5ae700c1dffb00cef492844a4db6cd69.Once the worm
executes on the infected system, it opens a backdoor on the port 4444 and then tries to download more worm files from
a range of Trvial FTP (TFTP) servers. This signature detects attacks on UDP based RPC traffic.