TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

621

622

623

624

625

626

627

628

629

630

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

628

SYSTEM folders, modifies registry to launch itself at Windows startup, may create Internet traffic on port 80. It also

modifies the HOSTS file to prevent access to several security related sites, attempts to kill numerous processes and

services and attempts to rename several files, many of which are security related.

Signature ID: 29077

Worm Bagle.BQ

Threat Level: Information

Signature Description: Worm Bagle.BQ is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.AT), which attempts to download and run

files from several hard-coded URLs. If the Bagle.BQ program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.BQ is a 32,768-byte executable.

Signature ID: 29079

Worm Bagle.CC

Threat Level: Information

Signature Description: Worm Bagle.CC is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.BE), which attempts to download and run

files from several hard-coded URLs. If the Bagle.CC program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.CC is a 26,628-byte executable. This rule hits for the outbound attack traffic.

Signature ID: 29080

Worm Bagle.CC

Threat Level: Information

Signature Description: Worm Bagle.CC is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.BE), which attempts to download and run

files from several hard-coded URLs. If the Bagle.CC program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.CC is a 26,628-byte executable. This rule hits for the Inbound attack traffic.

Signature ID: 29081

Worm Bagle.CE Vulnerability

Threat Level: Information

Signature Description: Worm Bagle.CE is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component called Win32.Glieder.BG, which attempts to download and run

files from several hard-coded URLs. If the Bagle.CE program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.CE is a 26,628-byte executable

Signature ID: 29082

Worm Bagle.BB

Threat Level: Information

Signature Description: Worm Bagle.BB is a worm that spreads via e-mail. Rather than putting itself in e-mail

attachments, it uses a separate downloader component (called Win32.Glieder.Q.), which attempts to download and run

files from several hard-coded URLs. If the Bagle.BB program is placed in one of these URLs, it can spread as a two-

stage e-mail worm. Bagle.BB is a 29,700-byte executable, packed with PEX. This signature detects outbound worm

traffic.