TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
620
Signature ID: 29024
Trojan Bancos Vulnerability
Threat Level: Warning
Signature Description: Trojan Bancos is a password-stealing Trojan which also downloads code. It is targeted at users
of various Brazilian online banks. The Trojan attempts to steal confidential login information from users on the infected
computer and emails the logs back to the author. The Trojan also connects to the internet and downloads code from a
preconfigured site.
Signature ID: 29026
Worm Zafi (SMTP Outbound)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). It arrives as an e-mail attachment with one of the extensions .COM, .PIF, .EXE.
Once it infects a computer, it will create a mutex, which allows only one instance of the worm to run in memory. Drops
an exe and a dll file with random file names in SYSTEM folder, then creates registry entries for these files to become
active at each startup. Searches the computer for the files or folders that belong to known security products and deletes
them. From the Windows Address Book files, searches the e-mail addresses and uses its own SMTP engine to send
itself to the email addresses that it finds.
Signature ID: 29027
Worm Zafi.B
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). It arrives as an e-mail attachment with one of the extensions .COM, .PIF, .EXE.
Once it infects a computer, it will create a mutex "_Hazafibb," which allows only one instance of the worm to run in
memory. Drops an exe and a dll file with random file names in SYSTEM folder, then creates registry entries for these
files to become active at each startup. Searches the computer for the files or folders that belong to known security
products and deletes them. From the Windows Address Book files, searches the e-mail addresses and uses its own
SMTP engine to send itself to the email addresses that it finds.
Signature ID: 29029
Worm Zafi.D (By Filename)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). The body of the email sent by the worm are in the form of Christmas greetings.
Upon execution displays a fake error message saying "Error in packed file", drops some files in SYSTEM folder and
creates registry entries to become active at startup. This signature detects when packet has pattern 'WINAMP 5.7
NEW!.EXE'.
Signature ID: 29030
Worm Zafi.D (By Filename)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). The body of the email sent by the worm are in the form of Christmas greetings.