TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
622
Signature ID: 29037
Bofra Worm
Threat Level: Information
Industry ID: CVE-2004-1050 Bugtraq: 11515
Signature Description: Bofra worm exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows
operating system file that renders the IFRAME, FRAME, and EMBED HTML tags (MS04-040). This worm spreads
via the Internet in the form of infected emails without an attachment. Upon execution, creates an exe file with random
letters as file name and creates registry entries to become active at startup. Attempts to inject its code as a thread into
the processes with a window class name of "Shell_TrayWnd" or into the process running in the foreground. The worm
runs as an HTTP server on TCP port 1639. When the worm gets an HTTP GET request that does not contain "reactor,"
it sends a shell code to the remote machine, which contains the IFRAME vulnerability (MS04-040). The remote
machine will run the shell code to send an HTTP GET request that contains "reactor" in the command. When the worm
gets an HTTP GET request that does contain "reactor," it sends itself to the remote machine. The shell code running on
the remote machine then executes the worm.
Signature ID: 29038
Worm DipNet/Oddbob
Threat Level: Information
Industry ID: CVE-2003-0528 CVE-2003-0533 Bugtraq: 10108 Nessus: 11835,12209
Signature Description: Worm DipNet/Oddbob infects computers running with Windows. The worm propagates by
exploiting a vulnerability in Windows LSASS (MS04-011). The worm generates random IP addresses and sends
exploit code to those machines on port 445. If vulnerable, a remote shell is created on the remote machine in order to
download the worm to the vulnerable machine.
Signature ID: 29039
Worm DipNet/Oddbob
Threat Level: Information
Industry ID: CVE-2003-0528 CVE-2003-0533 Bugtraq: 10108 Nessus: 11835,12209
Signature Description: Worm DipNet/Oddbob infects computers running with Windows. The worm propagates by
exploiting a vulnerability in Windows LSASS (MS04-011). The worm generates random IPs and sends exploit code to
those machines on port 445. If vulnerable, a remote shell is created on the remote machine in order to download the
worm to the vulnerable machine.
Signature ID: 29040
Trojan Dremn
Threat Level: Information
Signature Description: Trojan Dremn is a Trojan horse program that attempts to log keystrokes and steal information.
The Trojan may arrive on a compromised computer as a Microsoft Word document with a password protected macro.
Upon execution, it drops the file Docs_2.tmp, and executes it to create DrWatson32.exe and DrvWtsn32.dll. Once this
process is loaded it will inject the created dll into explorer.exe as a thread and as a module. Finally it creates the
registry entry so that it becomes active at each startup. This signature triggers for Outbound malformed packets.
Signature ID: 29041
Trojan Dremn
Threat Level: Warning
Signature Description: Trojan Dremn is a Trojan horse program that attempts to log keystrokes and steal information.
The Trojan may arrive on a compromised computer as a Microsoft Word document with a password protected macro.
Upon execution, it drops the file Docs_2.tmp, and executes it to create DrWatson32.exe and DrvWtsn32.dll. Once this