TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

621

622

623

624

625

626

627

628

629

630

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

626

Signature ID: 29061

Worm Bagle.BJ

Threat Level: Information

Signature Description: Worm Bagle.BJ is a mass mailer containing its own SMTP engine. Upon execution creates

copies of itself to the SYSTEM folder and modifies registry to launch itself at Windows startup. Terminates numerous

processes, many are related to security and anti-virus software.Also copies itself to the shared folders of several file

sharing applications. Opens remote access trojan on a random port above TCP port 2339. This rule hits for the attack

pattern "a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn".

Signature ID: 29063

Worm Bagle.BJ

Threat Level: Information

Signature Description: Worm Bagle.BJ is a mass mailer containing its own SMTP engine. Upon execution creates

copies of itself to the SYSTEM folder and modifies registry to launch itself at Windows startup. Terminates numerous

processes, many are related to security and anti-virus software.Also copies itself to the shared folders of several file

sharing applications. Opens remote access trojan on a random port above TCP port 2339. This rule hits for the attack

pattern "amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5".

Signature ID: 29065

Worm Bagle.BK

Threat Level: Information

Signature Description: Worm Bagle.BK is a worm that spreads via e-mail. When executed it copies itself as

sysformat.exe to Windows System folder and creates a startup key in the Registry to become active at startup. The

worm can attach itself to e-mails as an executable file with COM, EXE, SCR and CPL extensions. It has also backdoor

component that listens on port 81. After successful installation the worm tries to download an executable file named

re_file.exe from a list of pre-defined URLs and executes it.

Signature ID: 29067

Trojan Bagle.BE Downloader Vulnerability

Threat Level: Information

Signature Description: "Trojan Bagle.BE Downloader" attempts to download a file which is detected as Bagle.BE

worm.The trojan arrives as an attachment along with an email in a compressed format .zip.The infected email carries a

spoofed 'From' address picked up randomly from the infected system.The subject of the infected email will be blank.

The body of the infected email and filename of the attachment varies. Upon execution of the infected attachment, the

trojan copies itself as winshost.exe, wiwshost.exe in the Windows System folder. Then it attempts to connect to some

websites in its pre-configured list to download and execute a file which is detected as Worm Bagle.BE worm.

Signature ID: 29069

Worm Bagle.DI

Threat Level: Information

Signature Description: Worm Bagle.DI is a mass mailing worm that has its own SMTP engine. Once executed, it

copies itself to system root directory as "windll2.exe" and creates registry entries to run at startup. Then it tries to

download files from multiple URLs, some of which contain a list of e-mail addresses while others contain other

malware that the worm runs