TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
627
Signature ID: 29070
Worm Bagle.I Vulnerability
Threat Level: Information
Signature Description: Bagle.I is a worm that spreads via e-mail, and through file sharing. The worm spreads attached
to an e-mail in a password-protected zip archive, with the password displayed in the body of the e-mail message. It
arrives as a dropper, which installs itself(%System%\i11r54n4.exe) and two DLLs, %System%\go154o.exe (size
19,968 bytes) and %System%\i1i5n1j4.exe (size 1,536 bytes) on the system. The dropper is compressed with PEX, and
its file size varies between approximately 20,485 and 21,985 bytes.
Signature ID: 29071
Worm Bagle.I
Threat Level: Information
Signature Description: This memory-resident mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol)
engine to propagate. It sends out email messages with a spoofed return address to target recipients, which it gathers
from the infected system. The email message that it sends out has varying details. It also attempts to spread via shared
folders by dropping copies of itself in folders that have the string "shar" in their names
Signature ID: 29072
Worm Bagle.I
Threat Level: Information
Signature Description: This memory-resident mass-mailing worm uses its own SMTP (Simple Mail Transfer Protocol)
engine to propagate. It sends out email messages with a spoofed return address to target recipients, which it gathers
from the infected system. The email message that it sends out has varying details. It also attempts to spread via shared
folders by dropping copies of itself in folders that have the string "shar" in their names. This signature detects when an
attacker send "7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"
pattern on smtp traffic.
Signature ID: 29073
Worm Bagle.Z Vulnerability
Threat Level: Information
Signature Description: Bagle.Z spreads via e-mail messages and propagates to addresses collected from the infected
computer. The message has variable subject line and body. The file name of the attachment will have either EXE,
COM, SCR or CPL extension (appr. 20kB long), or a script that drops the worm with VBS or HTA extension. The
worm opens a backdoor on the infected computer.
Signature ID: 29074
Worm Bagle.dldr Vulnerability
Threat Level: Information
Signature Description: Bagle.dldr is not a mass-mailing threat by itself, it is a downloader which tries to access files
from the internet and attempts to disable antivirus and security tools. The Trojan has been used by other Bagle variants,
including Bagle.bb, Bagle.bc and Bagle.bd. After being executed, Bagle.dldr copies itself into the Windows System
directory. It drops a file named 'wiwshost.exe' and tries to download a file 'zoo.jpg' from various websites. It also shuts
down security services and in some cases renames the main security program executable.
Signature ID: 29075
Worm Bagle.BO
Threat Level: Information
Signature Description: Bagle.BO is a Trojan dropper. Upon execution, creates files in the WINDOWS and Windows