TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
642
Signature ID: 29169
Worm Novarg.A
Threat Level: Information
Signature Description: W32.Novarg.A is a mass-mailing worm that arrives as an attachment with the file extension
.bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm sets up a backdoor into the system by opening
TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy
to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files
Signature ID: 29171
PHPInclude Worm Vulnerability
Threat Level: Information
Signature Description: PhpInclude worm is targeting websites that are running any PHP software containing "remote
file include" vulnerabilities. The worm finds the target websites via Google, Yahoo and AOL search engines.
Specifically, the worm searches for webpages that are using PHP "require()" or "include()" functions. These functions
are used to include and evaluate the specified file. If the input to these functions is not properly sanitized, by passing an
arbitrary file an attacker can execute arbitrary PHP code on the server. To prevent the worm ensure that any scripts
containing the "require()" or "include()" functions properly sanitize the user input. Turn "register_globals" off, For
many PHP packages, the vulnerabilities can be exploited only when "register_globals" is on. Configure Apache
mod_security, Apache mod_rewrite or PHP filters to prevent the worm attacks. This signature triggers for INbound
malformed HTTP packets.
Signature ID: 29172
PHPInclude Worm Vulnerability
Threat Level: Information
Signature Description: PhpInclude worm is targeting websites that are running any PHP software containing "remote
file include" vulnerabilities. The worm finds the target websites via Google, Yahoo and AOL search engines.
Specifically, the worm searches for webpages that are using PHP "require()" or "include()" functions. These functions
are used to include and evaluate the specified file. If the input to these functions is not properly sanitized, by passing an
arbitrary file an attacker can execute arbitrary PHP code on the server. To prevent the worm ensure that any scripts
containing the "require()" or "include()" functions properly sanitize the user input. Turn "register_globals" off, For
many PHP packages, the vulnerabilities can be exploited only when "register_globals" is on. Configure Apache
mod_security, Apache mod_rewrite or PHP filters to prevent the worm attacks. This signature triggers for Outbound
malformed HTTP packets.
Signature ID: 29173
Rbot Trojan
Threat Level: Information
Signature Description: Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized
access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on
administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other
malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being
very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are
compressed and/or encrypted with one or more run-time executable packers. Examples include Morphine, UPX,
ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox and PEtite