TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

631

632

633

634

635

636

637

638

639

640

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

632

Signature ID: 29103

Bropia Worm

Threat Level: Information

Signature Description: Bropia is an instant messenger worm that spreads using Microsoft's MSN Messenger. This

worm also drops a variant of Spybot Worm in the infected system. When executed, Bropia worm copies to Windows

System folder using different file names. The file name will be winhost.exe, lexplore.exe, or updates.exe. Then it

modifies the registry entries to load automatically during system startup. Bropia worm drops spybot worm in the

infected system. Spybot worm connects to IRC channel and allows full access to the infected system. Using this

backdoor facility, hackers can steal data from the infected systems. Bropia worm is also known as IM-

Worm.Win32.VB.a, Bropia.A, W32/Bropia-A, WORM_BROPIA.F, and Win32.Bropia.a.

Signature ID: 29104

Evaman Worm

Threat Level: Information

Signature Description: Evaman is a worm that spreads via e-mail. It has been distributed as a 14,848-byte, UPX-

packed Win32.executable. When executed, Evaman initally opens the Notepad application. It then copies itself to the

%System% directory as WINTASKS.EXE and modifies the registry to ensure that this copy is run at each Windows

start. The worm also creates the mutex:MyNameIsEva" to ensure that only one copy of the worm is running at any

particular time

Signature ID: 29105

Worm Forbot-FG

Threat Level: Information

Signature Description: Worm Forbot-FG is a network worm with backdoor Trojan functionality for the Windows

platform. Once installed, Forbot-FG connects to a preconfigured IRC server and joins a channel from which an attacker

can issue further commands. Forbot-FG also spreads through email. The worm harvests email addresses from files on

the infected computer and from the Windows address book. This signature triggers for Outbound request malformed

packets.

Signature ID: 29106

Worm Forbot-FG

Threat Level: Information

Signature Description: Worm Forbot-FG is a network worm with backdoor Trojan functionality for the Windows

platform. Once installed, Forbot-FG connects to a preconfigured IRC server and joins a channel from which an attacker

can issue further commands. Forbot-FG also spreads through email. The worm harvests email addresses from files on

the infected computer and from the Windows address book. This signature triggers for INbound request malformed

packets.

Signature ID: 29107

Worm Kelvir.HI

Threat Level: Information

Signature Description: Worm Kelvir.HI is an IM (Instant Messenger) worm that spreads by sending a link to its file

using MSN Messenger. The worm also tries to download and run a file from Internet. It drops a copy of

W32.Spybot.Worm as %System%\msmsgr.exe and spreads through MSN Messenger. It also creates registry entries so

that gets activated on system startup.