TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

311

312

313

314

315

316

317

318

319

320

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

317

Signature ID: 3172

BACKDOOR RUX the Tick get system directory

Threat Level: Severe

Signature Description: This rule tries to detect Backdoor Rux-the-Tick. This is a Trojan that infects vulnerable

Windows operating systems. Once installed, it opens a backdoor on the host machine and monitors Transmission

Control Protocol (TCP) port 22222 for an incoming connection from the client. Rux-the-Tick supports a few simple,

but dangerous, remote control commands. It allows remote attackers to access the system directory and subdirectories,

upload files, and execute files

Signature ID: 3173

BACKDOOR RUX the Tick get windows directory

Threat Level: Severe

Signature Description: This rule tries to detect Backdoor Rux-the-Tick. This is a Trojan that infects vulnerable

Windows operating systems. Once installed, it opens a backdoor on the host machine and monitors Transmission

Control Protocol (TCP) port 22222 for an incoming connection from the client. Rux-the-Tick supports a few simple,

but dangerous, remote control commands. It allows remote attackers to access the Windows directory and

subdirectories, upload files, and execute files.

Signature ID: 3174

BACKDOOR RUX the Tick upload/execute arbitrary file

Threat Level: Severe

Signature Description: This rule tries to detect Backdoor Rux-the-Tick. This is a Trojan that infects vulnerable

Windows operating systems. Once installed, it opens a backdoor on the host machine and monitors Transmission

Control Protocol (TCP) port 22222 for an incoming connection from the client. Rux-the-Tick supports a few simple,

but dangerous, remote control commands, it allows remote attackers to upload files and execute files. Windows 95 and

Windows 98 are affected platforms for this attack.

Signature ID: 3175

BACKDOOR Vampire 1.2 connection confirmation

Threat Level: Critical

Signature Description: Backdoor Vampire 1.2 is a Trojan that opens up a backdoor program that. Vampire is

transmitted by executing an infected file on the system. Vampire does not live in memory. Upon execution of a

program containing Vampire, the virus will infect a .COM file residing in the current directory and overwrite the first

417 bytes of code. Text that reads "[Vampire] [DS] [OEC-G001] NJ Memory stack overflow", "Insufficient memory",

and "Program too big to fit into memory" is located in each infected file. Vampire typically operates over port on 1020

via TCP, affected Microsoft Windows by this attack.

Signature ID: 3176

BACKDOOR mydoom.a backdoor upload/execute

Threat Level: Warning

Signature Description: W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as

an attachment with the malicious file. MyDoom spoofs the "From" address to confuse victims as to the source of the

virus. Victims infect their system by opening the attached executable file. MyDoom spreads as an email attachment that

is either in an executable or zip archive format. The worm sets up a backdoor into the system by opening TCP ports

3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain

access to its network resources.