TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
645
opens a backdoor on TCP port 8, attempts to connect to a predetermined IRC server and wait for commands from an
attacker. It can make use of the Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities
(MS04-007) and the Microsoft Windows LSASS Buffer Overrun Vulnerabilities (MS04-011) to spread to unpatched
computers.
Signature ID: 29185
SQL Slammer Worm Traffic
Threat Level: Warning
Industry ID: CVE-2002-0649 Bugtraq: 5311
Signature Description: The SQL slammer worm is a computer worm that can cause a vulnerable Microsoft SQL Server
2000 compromise. This worm propagates by exploiting a stack overflow vulnerability in SQL Server Resolution
Service of SQL Server 2000. The worm sends a 376 byte long UDP packet to port 1434 using random targets at a very
high rate. It seeks to replicate itself and does not try to further compromise servers or retain access to compromised
hosts. This worm is also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern. The worm is so
small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove the worm
by restarting SQL Server. This signature identifies traffic based on destination port, protocol and data length. The
machine would likely be re-infected if proper patch is not applied to the server or access to UDP port 1434 is blocked
by a firewall. Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS02-039.
Signature ID: 29186
Possible Nimda (.nws) Virus
Threat Level: Warning
Signature Description: The Nimda worm has the potential to affect both user workstations (clients) running Windows
95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. It can spread in multiple mechanisms including
emails, network shares, compramized web servers. The worm modifies web documents (.htm, .html, .asp, etc) and
certain executable files on the infected machines. The worm creates numarous copies of itself under various file names.
Signature ID: 29187
Possible Nimda Virus (RICHED20.DLL)
Threat Level: Warning
Signature Description: The Nimda (worm) arrives with a random subject carrying an invisible attachment readme.exe.
The content of the mail will be blank. It replaces the original Riched20.DLL file with worm infected riched20.dll. After
this the worm tries to spread through the network shares by infecting .EXE files and by overwriting .NWS and .EML
files.
Signature ID: 29188
Possible Virus Nimda (.eml)
Threat Level: Warning
Signature Description: The Nimda worm has the potential to affect both user workstations (clients) running Windows
95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. It can spread through multiple mechanisms
including emails, network shares, compromised web services. The worm modifies web documents (.htm, .html, .asp,
etc) and certain executable files on the infected machines. The worm creates numerous copies of itself under various
file names.
Signature ID: 29189
Worm Nyxem.A
Threat Level: Severe
Signature Description: This rule triggers when worm Nyxem.A is sent as an e-mail attachment to a mail server in
internal network. Nyxem is a mass-mailing worm that spreads using remote shares. It also attempts to disable security-