TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
621
Upon execution displays a fake error message saying "Error in packed file", drops some files in SYSTEM folder and
creates registry entries to become active at startup. This signature detects when packet has pattern 'WINAMP 5.7
NEW!.EXE'ICQ 2005A EW!.EXE'
Signature ID: 29031
Worm Zafi.D (By Filename)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine, by spoofing
the 'From:' address. It also attempts to propagate via P2P and copies itself to folders on the local system (containing
'share' or 'upload' in the folder name). The worm may arrive with the extensions ZIP, CMD, PIF, BAT or COM.
Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL.
The body of the email sent by the worm are in the form of Christmas greetings. Upon execution, it displays a fake error
message saying "Error in packed file", drops some files in SYSTEM folder and creates registry entries to become active
at startup. TCP port 8181 is opened on the infected system.
Signature ID: 29033
Worm Zafi.D (SMTP Outgoing/Incoming .zip format)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). The worm may arrive with the extension ZIP. Harvested addresses are stored in
zip file in the system32 folder using random names and the file extension .DLL. The body of the email sent by the
worm are in the form of Christmas greetings. Upon execution displays a fake error message saying "Error in packed
file", drops some files in SYSTEM folder and creates registry entries to become active at startup.
Signature ID: 29035
Worm Zafi.D (SMTP Outgoing/Incoming .cmd, .com, .pif, .bat formats)
Threat Level: Information
Signature Description: This is a mass-mailing worm that constructs messages using its own SMTP engine and spoofing
the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing
'share' or 'upload' in the folder name). The worm may arrive with the extensions CMD, PIF, BAT or COM. Harvested
addresses are stored in four files in the system32 folder using random names and the file extension .DLL. The body of
the email sent by the worm are in the form of Christmas greetings. Upon execution displays a fake error message
saying "Error in packed file", drops some files in SYSTEM folder and creates registry entries to become active at
startup.
Signature ID: 29036
Akak Trojan
Threat Level: Warning
Industry ID: CVE-2005-0053
Bugtraq: 11466
Signature Description: Akak Trojan utilizes the IE Drag-n-drop vulnerability. By visiting a webpage of malicious
website, and simply clicking or dragging and dropping an image on the page can exploit the vulnerability. When the
vulnerability is exploited, the malicious webserver can install an executable file on user machine. This executable is
placed in the start up directory, so that it executes upon user's next login. When it is executed, it installs a Trojan as
testexe.exe or rb.exe, which connects back to the master control server on port 4321. The Trojan listens for commands
from the master control server. The Trojan will also turn off XP's firewall feature.