TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
625
Signature ID: 29056
Worm Bagle.AI
Threat Level: Information
Signature Description: Beagle.AI is a mass-mailing worm that uses its own SMTP engine to spread through email and
opens a backdoor on TCP port 1080. The subject line, body, and attachment name of the email vary. The attachment
will have a .com, .cpl, .exe, .scr, or .zip file extension. Upon execution it drops copies of itself as winxp.exe in
SYSTEM folder and creates a registry key to become active at startup.
Signature ID: 29057
Worm Bagle.AQ
Threat Level: Information
Signature Description: Bagle.AQ is a mass-mailing worm which contains its own SMTP engine to construct outgoing
messages. It harvests email addresses from the victim machine and the From: address of messages is spoofed.
Attachment is a zip file, which contains an EXE and HTML file and contains a remote access component (notification
is sent to hacker). The worm copies itself to folders that have the phrase shar in the name (such as common peer-to-peer
aplications, KaZaa, Bearshare, Limewire, etc).The worm sends out a ZIP file which contains an HTML and EXE file.
The EXE file is within a folder in the ZIP file so that when it's viewed with Explorer (rather than a stand-alone ZIP file
handler like WinZip or PKzip) the HTML file and a separate folder is what is visible.The HTML file contains exploit
code which,on vulnerable systems, will automatically run the EXE file which is a downloader trojan. The downloader
trojan then contacts a large number of remote websites to retrieve the virus itself.
Signature ID: 29058
Worm Bagle.AV
Threat Level: Information
Signature Description: Bagle.AV spreads via e-mail, in a message with an attached file with a random name and a ZIP
extension. Bagle.AV is a worm that ends processes belonging to several antivirus update programs, among other
applications. This file contains an HTML file, together with a hidden EXE file. This executable file is run when the
user opens the HTML file. Once it has affected the computer, Bagle.AV attempts to download a fake JPG file from
several websites. If successful, Bagle.AV will start spreading from the computer.
Signature ID: 29059
Worm Bagle.AV
Threat Level: Information
Signature Description: Bagle.AV spreads via e-mail, in a message with an attached file with a random name and a ZIP
extension. Bagle.AV is a worm that ends processes belonging to several antivirus update programs, among other
applications. This file contains an HTML file, together with a hidden EXE file. This executable file is run when the
user opens the HTML file. Once it has affected the computer, Bagle.AV attempts to download a fake JPG file from
several websites. If successful, Bagle.AV will start spreading from the computer
Signature ID: 29060
Worm Bagle.AY Vulnerability
Threat Level: Information
Signature Description: Bagle.AY spreads in e-mail messages to addresses collected from the infected computer. The
attachment of the messages is the approx. 20kB long worm (with COM, EXE or SCR extension) or the approx. 23 kB
long worm dropper with CPL extension. Once installed it copies itself as sysformat.exe to Windows System folder and
creates a startup key to become active at the startup. The worm has a backdoor that listens on port 81. Then the worm
tries to download a file named re_file.exe from a list of pre-defined URLs and executes.