TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

641

642

643

644

645

646

647

648

649

650

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

644

Signature ID: 29178

Worm Sasser

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: W32/Sasser worm is a self-executing network worm, which travels from infected machines via

the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to download

and execute the viral code. It does not spread via email. Infected computers may run more slowly than normal and shut

down intermittently. W32/Sasser-A attempts to connect to computers through ports TCP/9996 and TCP/445. If the

Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and executed,

which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol). The worm copies

itself to the Windows folder and sets the registry key to auto-start on user logon. This signature detects worm traffic on

TCP port 9996.

Signature ID: 29179

Worm Sasser

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: W32/Sasser worm is a self-executing network worm, which travels from infected machines via

the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to download

and execute the viral code. It does not spread via email. Infected computers may run more slowly than normal and shut

down intermittently. W32/Sasser-A attempts to connect to computers through ports TCP/9996 and TCP/445. If the

Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and executed,

which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol). The worm copies

itself to the Windows folder and sets the registry key to auto-start on user logon. This signature detects worm traffic in

SMB messages.

Signature ID: 29181

Trojan Stinx-N

Threat Level: Information

Signature Description: Trojan Stinx-N is an IRC bot that was mass spammed attached to an e-mail message. When run

this trojan attempts to connect to two IRC servers on TCP port 6667. Stinx-N includes functionality to download and

execute further code, and attempts to disable various security related processes. This signature generate log for the

attack from internel network to externel network, Outbound-INIT.

Signature ID: 29182

Trojan Stinx-N

Threat Level: Information

Signature Description: Trojan Stinx-N is an IRC bot that was mass spammed attached to an e-mail message. When run

this trojan attempts to connect to two IRC servers on TCP port 6667. Stinx-N includes functionality to download and

execute further code, and attempts to disable various security related processes. This signature generate log for the

attack from external network to internal network, Inbound-INIT.

Signature ID: 29183

Worm Nugache.A

Threat Level: Information

Signature Description: Worm Nugache.A is a mass mailing worm that spreads by email, network shares, exploiting

vulnerabilities and through AOL Instant Messenger. Once installed it creates the files mstc.exe and FNTCACHE.BIN

in SYSTEM folder and current user's profile folder, then creates the registry entries to become active at startup. It also