TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
618
Signature ID: 29013
Worm Sober.K (SMTP Inbound)
Threat Level: Information
Signature Description: Sober.K sends itself as an attachment in e-mail messages with English or German texts. When
the worm's file is started it opens NOTEPAD with some junk characters in it. When the worm's file is run, it copies
itself with 3 different names csrss.exe, smss.exe, winlogon.exe to %WinDir%\msagent\win32\. then it creates registry
entries for these files to activate them at the startup. Before spreading it collects e-mail addresses from the infected
computer and uses its own SMTP engine to propagate.
Signature ID: 29014
Worm Sober.K (SMTP Outbound)
Threat Level: Information
Signature Description: Sober.K sends itself as an attachment in e-mail messages with English or German texts. When
the worm's file is started it opens NOTEPAD with some junk characters in it. When the worm's file is run, it copies
itself with 3 different names csrss.exe, smss.exe, winlogon.exe to %WinDir%\msagent\win32\. then it creates registry
entries for these files to activate them at the startup. The worm has been distributed as a 51,918-byte ZIP archive that
contains a 51,688-byte Win32 executable.Before spreading it collects e-mail addresses from the infected computer and
uses its own SMTP engine to propagate.
Signature ID: 29015
Worm Sober.O
Threat Level: Information
Signature Description: This mass-mailing worm arrives in email messages as a ZIP attachment that is designed to trick
users into thinking that someone else is receiving their email. Manually opening the archive and choosing to run the
contained executable will infect the local system. When run, the virus copies itself to
C:\WINDOWS\Config\system\services.exe and creates two registry run keys to load itself at system startup. The worm
creates a text file in the %temp% directory, mail.document.Datex-packed.txt, to display in NOTEPAD. The worm also
tries to contact different time servers on TCP port 37. This worm spreads via email. It sends itself to email addresses
that are harvested from files found on the infected computer.
Signature ID: 29017
Worm Sober.P (SMTP Outbound)
Threat Level: Information
Signature Description: This mass-mailing email virus arrives in an email message as an attachment with a .ZIP
extension. When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a
fake error message saying "Error: CRC not complete". Then the worm copies itself to a newly created directory in the
WINDOWS directory and creates registry run keys to load itself at system startup. Further symptoms include outgoing
network traffic to port TCP 37 to some specific domains. This worm spreads via e-mail, it uses its own SMTP engine to
send itself to email address found on infected systems, spoofing the From address.
Signature ID: 29019
Worm Sober.R (SMTP Outbound)
Threat Level: Information
Signature Description: This mass-mailing email virus arrives in an email message as an attachment with a .ZIP
extension. When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a
fake error message saying "Error in packed file CRC header must be $7ff8". Then the worm copies itself to a newly
created directory in the WINDOWS directory and creates registry run keys to load itself at system startup. Further
symptoms include outgoing network traffic to port TCP 587, 37 and 80 to some specific domains. The worm tries to