TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
639
connects to an Internet Relay Chat (IRC) channel, where it waits for commands from the remote user. Furthermore, this
worm modifies the HOSTS file, which prevents the user from accessing certain Web sites. Most of these sites are
related to antivirus and security applications. This worm terminates processes, most of which are related to antivirus
programs, security applications, and other malware programs. This signature detects Outbound worm traffic.
Signature ID: 29154
Worm MyTob.HF
Threat Level: Information
Signature Description: MyTob.HF propagates by sending a copy of itself as an attachment to an email message, which
it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. This worm has backdoor
capabilities, which allow a remote user to perform malicious commands on the affected system. Using random ports, it
connects to an Internet Relay Chat (IRC) channel, where it waits for commands from the remote user. Furthermore, this
worm modifies the HOSTS file, which prevents the user from accessing certain Web sites. Most of these sites are
related to antivirus and security applications. This worm terminates processes, most of which are related to antivirus
programs, security applications, and other malware programs. This signature detects Inbound worm traffic.
Signature ID: 29155
Worm MyTob.HE
Threat Level: Information
Signature Description: Worm MyTob.HE is a mass-mailing worm and backdoor Trojan that can be controlled through
the Internet Relay Chat (IRC) network. This worm includes functionality to change browser settings and is capable of
spreading through email. This signature detects Outbound worm traffic.
Signature ID: 29156
Worm MyTob.HE
Threat Level: Information
Signature Description: Worm MyTob.HE is a mass-mailing worm and backdoor Trojan that can be controlled through
the Internet Relay Chat (IRC) network. This worm includes functionality to change browser settings and is capable of
spreading through email. This signature detects Inbound worm traffic.
Signature ID: 29157
Worm Netsky.C
Threat Level: Information
Signature Description: Worm Netsky.C is a mass-mailing worm that uses its own SMTP engine to send itself to the
email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for
the folder names containing "Shar" and then copies itself to those folders. The Subject, Body, and email attachment
vary
Signature ID: 29159
Worm Netsky.P
Threat Level: Information
Industry ID: CVE-2001-0154
Bugtraq: 2524
Signature Description: Worm NetSky.P is a mass-mailing worm that uses its own SMTP engine to send itself to the
email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through
various file-sharing programs by copying itself into various shared folders. The From line of the email is spoofed, and
its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file
extension. This worm also uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability
to cause unpatched systems to auto-execute the worm when reading or previewing an infected message. This signature
triggers for INbound request malformed SMTP packets.