TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

651

652

653

654

655

656

657

658

659

660

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

651

Signature ID: 29218

Worm MyTob.X

Threat Level: Warning

Signature Description: Win32.Mytob.X is a worm that spreads via e-mail, poorly protected network shares, and MSN

Messenger. The worm also acts as an IRC bot, allowing a controller unauthorized access to the infected machine, and

further spreading by exploiting vulnerabilities in the Windows operating system.

Signature ID: 29219

Worm Sober.I

Threat Level: Information

Signature Description: W32.Sober.I@mm is a mass-mailing worm that is compressed by UPX mechanism and uses its

own SMTP engine to spread by sending itself as an email attachment to the addresses gathered from the infected

computer. The subject of the email varies and may be in German or English. Name of the email virus attachment varies

and has a .bat, .com, .pif, .scr, or .zip extension. Upon execution adds some registry values to become active at startup,

drops some files and if current date has passed January 5, 2005, then the worm may attempt to download and execute a

file from multiple locations on predefined domains.

Signature ID: 29220

AIM Bot

Threat Level: Severe

Signature Description: Aimbot is a Trojan for the Windows platform. It runs continuously in the background,

providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC

channels. When first run Aimbot copies itself to system folder and creates registry entries to become active at each

startup. It allows remote attacker to have access through backdoor functionality.

Signature ID: 29221

Worm Korgo.U Vulnerability

Threat Level: Information

Signature Description: Korgo.U is a PE executable 9353 bytes long packed with PE-Patch and UPX file compressor. It

is a variant of W32.Korgo.N. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer

Overrun Vulnerability on TCP port 445. It also listens on TCP ports 113, 5111, and a random port between 256 and

8191. It exploits the vulnerability and copies its file to a remote system. Upon execution creates some files and registry

entries and then periodically connects to several websites and downloads files from there.

Signature ID: 29222

Worm MyTob.AH

Threat Level: Information

Signature Description: Mytob.AH is a mass-mailing worm that uses its own SMTP engine to send an email to

addresses that it gathers from the compromised computer. This worm arrives by a mail and spreads by exploiting the

DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local

Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011). Name of

the attachment varies with .pif, .bat, .zip, .exe, .scr, .cmd extensions. Upon execution creates some registry entries,

modifies hosts file, blocks access to several security related websites and opens a backdoor to allow unauthorized

access to a remote attacker. This signature triggers for INbound request malformed packets