TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

341

342

343

344

345

346

347

348

349

350

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

343

Signature ID: 3323

Xanadu Backdoor detection

Threat Level: Critical

Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a

computer, obtaining access to plain text, etc. while attempting to remain undetected. Xanadu, also known as

Backdoor.Xanadu and Backdoor.Xanadu.11, is a backdoor Trojan written in Visual Basic that affects Microsoft

Windows family of operating systems. The backdoor uses a client-server relationship, where the server component is

installed in the victim's system and the remote attacker has control of the client. Backdoor Xanadu 1.0 permits

unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands,

starting services, listing files, and uploading or downloading files. Xanadu typically runs from the server file

"C:\WINDOWS\SETUP.exe" via UDP over port 31557.

Signature ID: 3324

Backdoor Xanadu 1.11

Threat Level: Critical

Signature Description: Backdoor Xanadu 1.11 is a Trojan that opens up a backdoor program that, once installed on a

system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,

executing commands, starting services, listing files, and uploading or downloading files. Xanadu typically runs from

the server file "C:\WINDOWS\SETUP.exe" over port 31557 via TCP.

Signature ID: 3325

Backdoor Xlog 2.2

Threat Level: Critical

Signature Description: Xlog is a backdoor Trojan that affects Microsoft Windows operating systems. When executed,

Xlog copies the server to the Windows System directory as win32i.exe. It modifies the Registry, the system.ini file and

the win.ini file so the backdoor server runs whenever Windows starts up. By default, it opens TCP port 5553 on the

infected machine. XLog could also monitor keyboard and mouse events. The recorded keystrokes and mouse messages

will be saved in the xlog.txt file in Windows temp directory. A remote attacker could use Xlog client to gain

unauthorized access to a target system.

Signature ID: 3326

Backdoor Y3K RAT 1.1/1.4

Threat Level: Critical

Signature Description: Backdoor Y3K RAT 1.1 is a Trojan that opens up a backdoor program that, once installed on a

system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,

executing commands, starting services, listing files, and uploading or downloading files. Y3K RAT typically runs from

the server file "C:\WINDOWS\RundlI.exe" over ports 5882, 5888, and 5889 via TCP

Signature ID: 3327

Backdoor Y3K RAT 1.1/1.4

Threat Level: Critical

Signature Description: Backdoor Y3K RAT 1.1 is a Trojan that opens up a backdoor program that, once installed on a

system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,

executing commands, starting services, listing files, and uploading or downloading files. Y3K RAT typically runs from

the server file "C:\WINDOWS\RundlI.exe" over ports 5880, 5882, 5888, and 5889 via TCP.