TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

631

632

633

634

635

636

637

638

639

640

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

634

Signature ID: 29117

Worm MyDoom.AH

Threat Level: Information

Industry ID: CVE-2004-1050 Bugtraq: 11515

Signature Description: Mydoom.AH makes use of IFRAME HTML tags buffer overflow vulnerability to infect

systems. An e-mail comes to user with a hyper link to a malicious website running a web server which is vulnerable to

IFRAME buffer overflow. Clicking on the link, accesses a web server running on the compromised system. The web

server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus. This signature

detects when an attacker send 'tracking number is A866DEC0' pattern on smtp traffic.

Signature ID: 29118

Worm MyDoom.AH

Threat Level: Information

Industry ID: CVE-2004-1050 Bugtraq: 11515

Signature Description: Mydoom.AH makes use of IFRAME HTML tags buffer overflow vulnerability to infect

systems. An e-mail comes to user with a hyper link to a malicious website running a web server which is vulnerable to

IFRAME buffer overflow. Clicking on the link, accesses a web server running on the compromised system. The web

server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus. This signature

detects when an attacker send "Hi! I am looking for new friends. I am from Miami, FL" pattern on smtp traffic.

Signature ID: 29120

Worm MyDoom.AH

Threat Level: Information

Industry ID: CVE-2004-1050 Bugtraq: 11515

Signature Description: Mydoom.AH makes use of IFRAME HTML tags buffer overflow vulnerability to infect

systems. An e-mail comes to user with a hyper link to a malicious website running a web server which is vulnerable to

IFRAME buffer overflow. Clicking on the link, accesses a web server running on the compromised system. The web

server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus. This signature

detects when an attacker send "with my weblog and last webcam photos!" pattern on smtp traffic.

Signature ID: 29125

Worm MyDoom.I

Threat Level: Information

Signature Description: MyDoom.I is a worm which spreads by email. Copies itself into the system32 folder with the

name svhost.exe and adds registry key to become active at startup. As the other Mydoom worms W32/Mydoom-I scans

the filesystem and mounted shares for email addresses. Once it infects a machine MyDoom opens up Notepad and

shows some junk data. This signature triggers for Outbound malformed packets.

Signature ID: 29126

Worm MyDoom.I

Threat Level: Information

Signature Description: MyDoom.I is a worm which spreads by email. Copies itself into the system32 folder with the

name svhost.exe and adds registry key to become active at startup. As the other Mydoom worms W32/Mydoom-I scans

the filesystem and mounted shares for email addresses. Once it infects a machine MyDoom opens up Notepad and

shows some junk data. This signature triggers for INbound malformed packets.