TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
652
Signature ID: 29223
Worm MyTob.AH
Threat Level: Information
Signature Description: Mytob.AH is a mass-mailing worm that uses its own SMTP engine to send an email to
addresses that it gathers from the compromised computer. This worm arrives by a mail and spreads by exploiting the
DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011). Name of
the attachment varies with .pif, .bat, .zip, .exe, .scr, .cmd extensions. Upon execution creates some registry entries,
modifies hosts file, blocks access to several security related websites and opens a backdoor to allow unauthorized
access to a remote attacker. This signature triggers for Outbound request malformed packets.
Signature ID: 29224
Worm Nyxem.D
Threat Level: Information
Signature Description: This rule triggers when worm Nyxem.D is sent as an e-mail attachment to a mail server in
internal network. Nyxem is a mass-mailing worm that spreads using remote shares. It also attempts to disable security-
related and filesharing software as well as destroying files of certain types. The worm has a dangerous payload. If the
date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with
those extensions like doc, xls, mdb, ppt, pdf etc., on all available drives. This signature triggers for INbound request
malformed SMTP packets.
Signature ID: 29225
Worm Nyxem.D
Threat Level: Information
Signature Description: This rule triggers when worm Nyxem.D is sent as an e-mail attachment to a mail server in
internal network. Nyxem is a mass-mailing worm that spreads using remote shares. It also attempts to disable security-
related and filesharing software as well as destroying files of certain types. The worm has a dangerous payload. If the
date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with
those extensions like doc, xls, mdb, ppt, pdf etc., on all available drives. This signature triggers for Outbound request
malformed SMTP packets.
Signature ID: 29226
Worm Nyxem.E
Threat Level: Severe
Signature Description: This rule triggers when worm Nyxem.E is sent as an e-mail attachment to a mail server in
internal network. Nyxem is a mass-mailing worm that spreads using remote shares. It also attempts to disable security-
related and filesharing software as well as destroying files of certain types. The worm has a dangerous payload. If the
date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with
those extensions like doc, xls, mdb, ppt, pdf etc., on all available drives.
Signature ID: 29227
Worm Opaserv
Threat Level: Warning
Signature Description: Worm Opaserv is a network-aware worm that attempts to replicate across open network shares.
It copies itself to the remote computer as a file named Scrsvr.exe or alevir.exe. The worm scans a range of IP addresses
for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a
share is found the worm is copied to the Windows folder of that share and modifies the win.ini file so that the worm is
executed the next time Windows is started on that computer. Once the local area network has been scanned the worm