TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
617
Signature ID: 29006
BugBear@MM
Threat Level: Information
Signature Description: Bugbear@MM is a mass-mailing worm, and it usually it spreads through network shares. It has
keystroke-logging and backdoor capabilities, and also attempts to terminate the processes of various antivirus and
firewall programs. The worm does not handle the network resources properly and it may flood shared printer resources,
which causes them to print garbage or disrupt their normal functionality.
Signature ID: 29007
BugBear@mm
Threat Level: Information
Signature Description: Bugbear@mm is a mass-mailing worm, and it usually it spreads through network shares. It has
keystroke-logging and backdoor capabilities, and also attempts to terminate the processes of various antivirus and
firewall programs. The worm does not handle the network resources properly and it may flood shared printer resources,
which causes them to print garbage or disrupt their normal functionality.
Signature ID: 29009
Worm Agobot/Phatbot
Threat Level: Information
Signature Description: The AGOBOT/Phatbot worm connects to an Internet Relay Chat (IRC) server and acts as a bot
program, allowing remote users to manipulate infected machines and launch a denial of service (DoS) attack against
other IRC users. This worm may also act as a backdoor server and allow remote users to access and manipulate
infected systems directly using a corresponing client application.
Signature ID: 29011
Worm Sober.F (SMTP Outbound)
Threat Level: Information
Signature Description: Sober.F arrives as an e-mail attachment with exe or zip file extension and message part is in
English or German languages. When the worm's file is run, it opens Notepad with a text file that contains junk
characters. Then the worm installs itself to system. It copies itself to Windows System folder once, with a semi-
randomly generated name and creates 2 startup keys for this file in System Registry. The worm scans files with certain
extensions on all hard disks to harvest e-mail addresses. The worm can send messages chosen from variety of templates
in English and German. Some of the messages will attempt tp appear to the eyes of the users as harmless error
messages.
Signature ID: 29012
Worm Sober.I (SMTP Outbound)
Threat Level: Information
Signature Description: Sober.I arrives in an e-mail attahment as an exe or zip archive with message in English or
German language. When the worm is installed on user's sysem it opens up a dialog box saying "winzip_data_module is
missing ~Error: {2A0DDFFE}. Then the worm installs itself to system. It makes two copies itself to Windows System
folder with a semi-randomly generated name and EXE extension. After that the worm creates startup keys for its files
in Windows Registry. Before spreading the worm scans files with certain extensions on all hard disks to harvest e-mail
addresses