TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
311
Signature ID: 3141
BACKDOOR DonaldDick 1.53 Traffic
Threat Level: Severe
Signature Description: Donald Dick is a Trojan Horse allowing the attacker to access various resources on the victim
host. This backdoor permits unauthorized users to remotely extract passwords, edit the registry, log keystrokes, etc.
Donald Dick runs from the server file "c:\WINDOWS\SYSTEM\pnpmgr.pci" over the ports 23476 and 23477 via TCP.
Aliases: Trojan.PSW.EPS.dr, Trojan.PSW.Ring0.a. This is a kind of spyware which automatically attach itself to the e-
mails, free or shareware downloads like p2p programs. Some of the properties are it slow downs the system normal
operations, Internet connection speed will be drastically decreased, pop-ups will come even though you do not have
internet connection , malicious short-cut icons will be on the system desktop, pages will be automatically redirected to
unknown sites. this spyware collects user borwosing interests, user names, passwords, etc and sends them to the
spyware creator
Signature ID: 3142
BACKDOOR DoomJuice file upload attempt
Threat Level: Information
Signature Description: This event is generated when activity from the worm DoomJuice is detected.This is indicative
of worm activity which may launch of a Denial of Service condition against Microsoft from infected
machines.Doomjuice.A worm is programmed to execute a DDoS attack against Microsoft's web site with the
systems/computers that already infected by Mydoom worms. Doomjuice. A is approximately 35 KB in size,
compressed using UPX (Ultimate Packer for eXecutables). The size of the decompressed file is approximately 43 KB.
Doomjuice.A does not have a pre-programmed expiration date, the computers which have successfully removed
Mydoom are not at risk for infection by Doomjuice.A.
Signature ID: 3143
BACKDOOR DoomJuice file upload attempt
Threat Level: Information
Signature Description: This is indicative of worm activity which may launch of a Denial of Service condition against
Microsoft from infected machines.Doomjuice.A worm is programmed to execute a DDoS attack against Microsoft's
web site with the systems/computers that already infected by Mydoom worms. Doomjuice.A is approximately 35 KB in
size, compressed using UPX (Ultimate Packer for eXecutables). The size of the decompressed file is approximately 43
KB. Doomjuice.A does not have a pre-programmed expiration date, the computers which have successfully removed
Mydoom are not at risk for infection by Doomjuice.A.
Signature ID: 3144
BACKDOOR FsSniffer connection
Threat Level: Information
Nessus: 11854
Signature Description: Possible theft of data and control of the targeted machine leading to a compromise of all
resources the machine is connected to.FsSniffer is backdoor which allows an intruder to steal<br>PoP3/FTP and other
passwords you use on your system.A possible hacker may use it to steal your passwords.
Signature ID: 3145
BACKDOOR Hack-A-tack 1.20 Connect
Threat Level: Severe
Signature Description: Backdoor Hack-a-tack is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely alter the user interface, run commands, log keystrokes, shutdown
windows, etc. Hack-a-Tack typically runs over ports 31785 and 31787 via TCP. Many backdoor programs, attackers
can use to access your computer system without victim's knowledge or consent. With the Hack'a'Tack backdoor, an