TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
619
download and execute files from these domains. The exact URL gets generated based on the current date and is likely
to change during the next days and weeks, but the host address/domain will remain. This worm spreads via e-mail, it
uses its own SMTP engine to send itself to email address found on infected systems, spoofing the From address. This
signature detects SMTP outbound worm traffic.
Signature ID: 29020
Worm Sober.R (SMTP Inbound)
Threat Level: Information
Signature Description: This mass-mailing email virus arrives in an email message as an attachment with a .ZIP
extension. When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a
fake error message saying "Error in packed file CRC header must be $7ff8". Then the worm copies itself to a newly
created directory in the WINDOWS directory and creates registry run keys to load itself at system startup. Further
symptoms include outgoing network traffic to port TCP 587, 37 and 80 to some specific domains. The worm tries to
download and execute files from these domains. The exact URL gets generated based on the current date and is likely
to change during the next days and weeks, but the host address/domain will remain. This worm spreads via e-mail, it
uses its own SMTP engine to send itself to email address found on infected systems, spoofing the From address. This
signature detects SMTP inbound worm traffic.
Signature ID: 29021
Worm Sober.AA (.Z,.AG,.X,.Y,.W) (SMTP outbound)
Threat Level: Information
Signature Description: W32/Sober.AA is a mass mailing worm. When first run it creates the directory "WinSecurity"
in the Windows directory and creates there three copies of itself under the names "services.exe","smss.exe" and
"csrss.exe". When it's first run it displays a bogus error message, executes all the newly created copies of the worm and
exits. It also drops the files "socket1.ifo", "socket2.ifo", "socket3.ifo" are base-64 encoded copies of the worm and
"mssock1.dli", "mssock2.dli", "mssock3.dli" and "nexttroj.tro" are used to store harvested e-mailing information in the
same directory. This signature will trigger when the attack pattern flows in the Outbound direction to the target.
Signature ID: 29022
Worm Sober.AA (.Z,.AG,.X,.Y,.W) (SMTP Inbound)
Threat Level: Information
Signature Description: W32/Sober.AA is a mass mailing worm. When first run it creates the directory "WinSecurity"
in the Windows directory and creates there three copies of itself under the names "services.exe","smss.exe" and
"csrss.exe". When it's first run it displays a bogus error message, executes all the newly created copies of the worm and
exits. It also drops the files "socket1.ifo", "socket2.ifo", "socket3.ifo" are base-64 encoded copies of the worm and
"mssock1.dli", "mssock2.dli", "mssock3.dli" and "nexttroj.tro" are used to store harvested e-mailing informationin the
same directory. This signature will trigger when the attack pattern flows in the Inbound direction to the target.
Signature ID: 29023
Worm SoBig E-F
Threat Level: Information
Signature Description: Worm Sobig is a mass-mailing, network-aware worm that uses its own SMTP engine to
propagate. This worm sends massive amounts of mail with forged sender information and it contains a payload that
activates on Fridays and Sundays. Once executed, it copies itself as winppr2.exe in SYSTEM directory, adds a registry
value to become active at startup. The worm obtains the UTC time from one of these servers which is used by the
worm to determine when to attempt to download remote file(s). For this purpose, the worm contains a list of IP
addresses for remote NTP servers, to which it sends NTP packets (destination UDP port 123). The worm is capable of
retrieving file(s) from a remote server - the specific URL of which is controlled by the author, and is issued in response
to data sent from infected machines. At a specific time (as determined via NTP), the worm sends data from infected
machines to a number of remote systems on UDP port 8998.