TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
282
Signature ID: 2072
SMTP Client [Novarg Worm]
Threat Level: Information
Signature Description: This signature detects when the packet contains pattern 'file.scr'. The Novarg worm (also known
as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
infected the worm installs a backdoor, allowing an attacker remote access to the system. It also uses its own SMTP
engine to send out email messages.
Signature ID: 2073
SMTP Client [Novarg Worm]
Threat Level: Information
Signature Description: The Novarg worm (also known as Mydoom) infects systems through email attachments and p2p
file sharing. The targets are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker
remote access to the system. It also uses its own SMTP engine to send out email messages. This signature will trigger
when the packet contains pattern body.scr.
Signature ID: 2074
SMTP Client [Novarg Worm]
Threat Level: Information
Signature Description: This signature will trigger when the packet has pattern text.pif. The Novarg worm (also known
as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
infected the worm installs a backdoor, allowing an attacker remote access to the system. It also uses its own SMTP
engine to send out email messages.
Signature ID: 2075
SMTP Client [Novarg Worm]
Threat Level: Information
Signature Description: The Novarg worm (also known as Mydoom) infects systems through email attachments and p2p
file sharing. The targets are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker
remote access to the system. It also uses its own SMTP engine to send out email messages. This rule get hits when
packet contains pattern 'text.htm.pif'.
Signature ID: 2076
Microsoft Exchange Server Extended Verb XEXCH50 Request Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2003-0714
Bugtraq: 8838 Nessus: 11889
Signature Description: Microsoft Exchange Server is a messaging and collaborative software product developed by
Microsoft. Microsoft Exchange 5.5 and Microsoft Exchange 2000 are vulnerable to a buffer overflow, caused by
improper bounds checking. XEXCH50 is the Exchange extension SMTP that is used to relay certain message
properties such as envelope message and recipient properties. The Exchange Server allows the command verb
XEXCH50 before the NTLM authentication. A malicious attacker could craft an SMTP extended verb request using a
negative number or a very large positive number. By connecting to an SMTP port on the vulnerable Exchange server, a
remote attacker could send a specially crafted XEXCH50 request to overflow a buffer and cause the SMTP service to
fail and execute arbitrary code on the system with Local System privileges. Apply the appropriate patch for your
system, as listed in Microsoft Security Bulletin MS03-046.