TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
643
Signature ID: 29174
Rbot Trojan
Threat Level: Information
Signature Description: Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized
access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on
administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other
malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being
very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are
compressed and/or encrypted with one or more run-time executable packers. Examples include Morphine, UPX,
ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox and PEtite.
Signature ID: 29175
Worm Sasser.A
Threat Level: Information
Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209
Signature Description: W32/Sasser-A worm is a self-executing network worm, which travels from infected machines
via the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to
download and execute the viral code. It does not spread via email. Infected computers may run more slowly than
normal and shut down intermittently. W32/Sasser-A attempts to connect to computers through ports TCP/9996 and
TCP/445. If the Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and
executed, which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol). The worm
copies itself to the Windows folder and sets the registry key to auto-start on user logon
Signature ID: 29176
Worm Sasser.B
Threat Level: Information
Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209
Signature Description: W32/Sasser-B worm exploits the Windows LSASS (MS04-011) vulnerability, which is a buffer
overrun that allows remote code execution and enables an attacker to gain full control of affected systems. Upon
execution, it drops a copy of itself in the Windows folder as AVSERVE2.EXE. To propagate, this worm sends a
specially-crafted packet to TCP port 445 of random IP addresses. However it skips certain RFC 1918-reserved
addresses. The packet causes a buffer overrun on vulnerable systems, which results in the execution of a remote shell
that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via
port 5554 using FTP
Signature ID: 29177
Worm Sasser
Threat Level: Information
Industry ID: CVE-2003-0533
Bugtraq: 10108 Nessus: 12209
Signature Description: W32/Sasser-A worm is a self-executing network worm, which travels from infected machines
via the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to
download and execute the viral code. It does not spread via email. Infected computers may run more slowly than
normal and shut down intermittently. W32/Sasser-A attempts to connect to computers through ports TCP/9996 and
TCP/445. If the Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and
executed, which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol). The worm
copies itself to the Windows folder and sets the registry key to auto-start on user logon