TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

331

332

333

334

335

336

337

338

339

340

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

338

Signature ID: 3294

Backdoor Qwertos RAT 0.2

Threat Level: Critical

Signature Description: This rule tries to detect Backdoor Qwertos RAT 0.2. This is a Trojan that opens up a backdoor

program. Qwertos, also known as Latinus, and it is affecting Microsoft Windows operating systems. It uses a

client/server relationship, where the server component is installed in the victim's system and the remote attacker has

control of the client. once installed on a system, it permits unauthorized users to remotely perform a variety of

operations, such as changing the registry, executing commands, starting services, listing files, and uploading or

downloading files. Qwertos typically runs from the server file "C:\WINDOWS\msHtml.exe" over ports 29559 via TCP.

Signature ID: 3295

Backdoor R3C

Threat Level: Information

Signature Description: This rule tries to detect Backdoor R3C. This is a trojan that allows unauthorised access to

infected computer.It is a program that uses a secret and/or undocumented means of getting into a computer system.

Some backdoor programs test the system and phone home to allow for future attacksThis backdoor is written in Delphi

and can affect Windows Operating Systems. By default Backdoor R3C opens port 9870 via TCP.

Signature ID: 3296

Backdoor RatHead 2.01

Threat Level: Critical

Signature Description: This rule tries to detect Backdoor RatHead 2.01. This is a trojan that opens up a backdoor

program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such

as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. By

default backdoor RatHead 2.01 runs over port 36663 via TCP.

Signature ID: 3297

Remote boot tool Backdoor detection

Threat Level: Severe

Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a

computer, obtaining access to plain text, etc. while attempting to remain undetected. Backdoor Remote Boot Tool

(RBT) also known as 'Backdoor-HJ' infects Microsoft Windows family of operating systems and is written in Delphi. It

registers itself in 'HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'. The Remote Boot Tool server

monitors Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 41666 for an incoming

connection. Remote attackers may be able to shut down or reboot the remote system, log off the current user, or remove

the Remote Boot Tool server from the infected machine.

Signature ID: 3298

Backdoor Remote hack 1.2

Threat Level: Critical

Signature Description: This rule tries to detect Backdoor Remote Hack 1.2. This is a Trojan that opens up a backdoor

program that, once installed on a system, permits unauthorized users to remotely shutdown windows, alter the user

interface, control FTP access, etc. It affects Microsoft Windows operating systems. Remote Hack uses a client/server

relationship, where the server component is installed in the victim's system and the remote attacker has control of the

client. It typically runs from the server file "C:\WINDOWS\norton.exe" over port 1568 via TCP.