TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
633
Signature ID: 29108
Worm Korgo.P
Threat Level: Information
Signature Description: Worm Korgo.P is a network worm that uses the LSASS exploit to propagate (MS04-011).
Korgo.P copies itself to the Windows system folder with a randomly-generated filename between 5 and 8 characters
long and creates/modifies some registry entry so as to run itself on system startup. Then it attempts to send itself to
random IP addresses by HTTP with the filename X.EXE. Korgo.P sends encrypted reports to a number of remote
websites and may be instructed to download and run further files from them to a random 6-letter filename in the
Windows system folder. Korgo.P attempts to delete the file FTPUPD.EXE and also tries to terminate certain process
including SysTray, WinUpdate and Disk Defragmenter, also deleting the corresponding entries in the registry in order
to prevent them from running at system startup.
Signature ID: 29109
Worm Korgo.P
Threat Level: Information
Signature Description: Worm Korgo.P is a network worm that uses the LSASS exploit to propagate (MS04-011). This
worm copies itself to the Windows system folder with a randomly-generated filename between 5 and 8 characters long
and creates/modifies some registry entry so as to run itself on system startup. Then it attempts to send itself to random
IP addresses by HTTP with the filename X.EXE. Korgo.P sends encrypted reports to a number of remote websites and
may be instructed to download and run further files from them to a random 6-letter filename in the Windows system
folder. It attempts to delete the file FTPUPD.EXE and also tries to terminate certain process including SysTray,
WinUpdate and Disk Defragmenter, also deleting the corresponding entries in the registry in order to prevent them
from running at system startup.
Signature ID: 29112
Worm Maslon.C
Threat Level: Information
Signature Description: Worm Maslan.C is a mass-mailing worm that opens a back door and exploits system
vulnerabilities like Windows LSASS (MS04-011) and RPC-DCOM (MS03-039) on the compromised computer to
spread to network shares. The worm also steals passwords and uses rootkit techniques. Maslan.C copies existing
executable files on the computer to a new location called "___b" and places copies of the worm where the original files
used to be. This signature detects outbound worm traffic.
Signature ID: 29113
Worm Maslan.C
Threat Level: Information
Signature Description: Worm Maslan.C is a mass-mailing worm that opens a back door and exploits system
vulnerabilities like Windows LSASS (MS04-011) and RPC-DCOM (MS03-039) on the compromised computer to
spread to network shares. The worm also steals passwords and uses rootkit techniques. Maslan.C copies existing
executable files on the computer to a new location called "___b" and places copies of the worm where the original files
used to be. This signature detects inbound worm traffic.
Signature ID: 29116
Worm MyDoom.AH
Threat Level: Information
Industry ID: CVE-2004-1050
Bugtraq: 11515
Signature Description: Mydoom.AH makes use of IFRAME HTML tags buffer overflow vulnerability to infect
systems. An e-mail comes to user with a hyper link to a malicious website running a webserver. By clicking on the link,
the web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus.