TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
635
Signature ID: 29127
Worm MyDoom/MIMAIL.R
Threat Level: Information
Signature Description: MyDoom/MIMAIL.R is a worm which spreads by email. Copies itself into the system32 folder
and adds registry key to become active at startup. As the other Mydoom worms it scans the filesystem and mounted
shares for email addresses. This worm attempts to steal user's credit card information by displaying fake Microsoft
licensing window. The stolen credit card numbers are sent to email addresses found in the worm's body. This signature
will trigger when packet contains pattern 'represented in 7-bit ASCII'.
Signature ID: 29128
Worm MyDoom/MIMAIL.R
Threat Level: Information
Signature Description: MyDoom/MIMAIL.R is a worm which spreads by email. Copies itself into the system32 folder
and adds registry key to become active at startup. As the other Mydoom worms it scans the filesystem and mounted
shares for email addresses. This worm attempts to steal user's credit card information by displaying fake Microsoft
licensing window. The stolen credit card numbers are sent to email addresses found in the worm's body. This rule will
trigger when packet contains pattern 'The message contains Unicode characters'.
Signature ID: 29129
Worm MyDoom/MIMAIL.R
Threat Level: Information
Signature Description: MyDoom/MIMAIL.R is a worm which spreads by email. Copies itself into the system32 folder
and adds registry key to become active at startup. As the other Mydoom worms it scans the filesystem and mounted
shares for email addresses. This worm attempts to steal user's credit card information by displaying fake Microsoft
licensing window. The stolen credit card numbers are sent to email addresses found in the worm's body. This event get
hits when packet contains pattern 'we are sorry your UTF-8 encoding is not supported by the server'.
Signature ID: 29131
Worm MyDoom.P Vulnerability
Threat Level: Information
Signature Description: Mydoom.P is a mass-mailing worm that uses its own SMTP engine to send itself to the email
addresses that it finds on an infected computer. The email contains a spoofed From address. The subject and message
body vary, and the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension. TCP Port 1034 is opened on the victim
machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network
traffic from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034. When
another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to
a file named zincite.log
Signature ID: 29132
Worm MyDoom.S
Threat Level: Information
Signature Description: MyDoom.S is a mass-mailing worm which harvests email addresses from the hard drive. The
worm copies itself to the Windows folder and the System folder, and adds a registry entry to ensure it starts whenever
you logon. Emails sent by this worm have the subject line photos and an attachment named photos_arc.exe