TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

341

342

343

344

345

346

347

348

349

350

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

342

Signature ID: 3317

Backdoor Vagr Nocker 1.2

Threat Level: Critical

Signature Description: This rule tries to detect Backdoor Vagr Nocker 1.2. Vagr Nocker consists of at least two

components. The client component is used by attackers to send connection requests and control commands to a target

machine. The server component, running on the target machine, executes control commands sent by attackers. This is a

Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely

perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and

uploading or downloading files. Vagr Nocker typically runs from the server file "C:\WINDOWS\Winahlp.exe" over

port 6969 via TCP.

Signature ID: 3318

Backdoor Voodoo doll

Threat Level: Critical

Signature Description: Voodoo Doll is a backdoor Trojan written in Visual Basic and affecting Microsoft Windows

operating systems. The backdoor uses a client/server relationship, where the server component is installed in the

victim's system and the remote attacker has control of the client. once installed on a system, permits unauthorized users

to remotely change the windows environment, change the user interface, etc. Voodoo Doll typically runs over port

1245 via TCP.

Signature ID: 3319

Backdoor War Trojan

Threat Level: Severe

Signature Description: Backdoor War Trojan is a backdoor program that affects Microsoft Windows Operating

System. The backdoor uses a client/server relationship, where the server component is installed in the victim's system

and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 4201 to allow

the client system to connect. Once installed on a system, permits unauthorized users to remotely perform a variety of

operations, such as changing the registry, executing commands, starting services, listing files, and uploading or

downloading files. Administrators are advised to close the port 4201 for external users.

Signature ID: 3320

Backdoor WinCrash 1.03

Threat Level: Severe

Signature Description: Backdoor WinCrash 1.03 is a Trojan that opens up a backdoor program that, once installed on a

system, permits unauthorized users to remotely manage files, alter the user interface, extract passwords, crash the

system, etc. This signature detects the "ready banner" from WinCrash 1.0, a remote backdoor control program.

Attackers can use WinCrash to completely control an infected Microsoft Windows host. WinCrash typically runs from

the server file "C:\WINDOWS\SERVER.EXE" over port 5742 via TCP.

Signature ID: 3321

Backdoor Windows Mite 1.0

Threat Level: Critical

Signature Description: Backdoor Windows Mite 1.0 is a Trojan that opens up a backdoor program that, once installed

on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,

executing commands, starting services, listing files, and uploading or downloading files. Windows Mite typically

overwrites the file "C:\WINDOWS\SCANREGW.EXE" with its own server and runs over port 65530 via TCP.