TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
977
allow the attacker to obtain sensitive information or gain unauthorized access to an affected computer in the context of
the vulnerable server. e-Vision CMS 2.0.2 is vulnerable, other versions may also be affected.
Signature ID: 35590
Lupper worm - Includer Remote Command Execution vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0689 Bugtraq: 12738
Signature Description: Linux/Lupper.B is a worm. The worm will infect Linux systems and spreads through web
servers by exploiting Includer.cgi Remote Command Execution vulnerablity. This worm will not infect windows
system. It sends random http requests on port 80. If any web server is vulnerable, it will exploit the vulnerabilities and
downloads a copy of itself into the web server. It also sends some pre-configured list of commands to the includer.cgi
scripts. Includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in
the URL or in the template parameter.
Signature ID: 35591
Downadup/Conficker Worm Windows Server Service - MS08-067 vulnerability
Threat Level: Warning
Industry ID: CVE-2008-4250
Signature Description: Win32 Downadup/Conficker is a worm that propagates via removable drives, via network
shares, and by exploiting a vulnerability in Windows Server Service, known as MS08-067. It does not spread over
email or the Web, but if an infected system is connected to the corporate network, it will be immediately scan the
network looking for unpatched machines of Microsoft MS08-067. It will infect the machine silently and begin
spreading to other servers. This sleeper virus could allow the hackers to steal financial and personal information for
more than eight million computers. when the external attacker tries to share inbound system through SMB Access via
"ADMIN$" or "IPC$". It brute forces Administrator passwords on local networks and spreads and infects removable
devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device. It starts an
HTTP server on the affected system by opening a random port. This allows a copy of the worm to be downloaded by
systems vulnerable to MS08-067. The general form of the URL that it generates is http://[GENERATED DOMAIN
NAME].[TOP LEVEL DOMAIN]/search?q=%d. This signature will trigger when the infected system trying outbound
to communicate to the external malicious domains.
Signature ID: 35598
Downadup/Conficker Worm Windows Server Service - MS08-067 vulnerability
Threat Level: Severe
Industry ID: CVE-2008-4250
Signature Description: Win32 Downadup/Conficker is a worm that propagates via removable drives, via network
shares, and by exploiting a vulnerability in Windows Server Service, known as MS08-067. It does not spread over
email or the Web, but if an infected system is connected to the corporate network, it will be immediately scan the
network looking for unpatched machines of Microsoft MS08-067. It will infect the machine silently and begin
spreading to other servers. This sleeper virus could allow the hackers to steal financial and personal information for
more than eight million computers. when the external attacker tries to share inbound system through SMB Access
through port 139 via "ADMIN$" or "IPC$". It brute forces Administrator passwords on local networks and spreads and
infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the
device. The autorun.inf file may contain lot of garbage data about 60 kb of random binary data. This may fool some
AntiVirus programs so they can't scan for the device properl to pick up the referenced DLL stored on the device. It also
attempts to block running applications from accessing security websites. The system got infected with the worm starts
an HTTP server on the affected system by opening a random port. This allows a copy of the worm to be downloaded by
systems vulnerable to MS08-067 from various malicious external attackers domains. This signature will trigger when
the external attacker tries to compromise the system through Server Service Remote Procedure Call (RPC) handling,