Nigel removed w00.w00 reference and added CVE, bugtraq Rule: -- Sid: 1752 -- Summary: This event is generated when exploit traffic is observed that attempts to cause a buffer overflow in a Windows host running America Online (AOL) Instant Messenger (AIM). -- Impact: Attempted user level access. A successful attack may permit the execution of arbitrary code with the privileges of the user running AIM. -- Detailed Information: AIM can be used for message and file exchanges as well as many other applications. A buffer overflow exists in AIM code that requests external applications (AddExternalAPP) that may permit the execution of arbitrary code on a Windows client AIM host with the privileges of the user running AIM. -- Affected Systems: Windows hosts running AIM 4.2 - 4.8.2616. -- Attack Scenarios: An attacker may craft a malformed AIM add external application request causing a buffer overflow, and potentially permitting the execution of arbitrary code with the privileges of the user running AIM. -- Ease of Attack: Simple. Exploit code is freely available. -- False Positives: None known. -- False Negatives: This event is trigger when known exploit code is run. It may be possible that other exploit code exists that will not trigger this event. -- Corrective Action: -Workstation: Upgrade to version 2001B Beta v5.18 Build #3659 or later. or Go to Preferences in AIM -> Privacy -> In "Who can contact me" check "Allow only users on my Buddy List". -Network: Block AIM traffic into and out of your network. -- Contributors: Original rule writer unknown. Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0362 Bugtraq: http://www.securityfocus.com/bid/4677 --