TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
348
remote attacker has control of the client. The server attempts to open a port, typically TCP 1850, to allow the client
system to connect. Black Angel could allow a remote attacker to gain unauthorized access to the system. Black Angel,
also known as Black Angel.13 and Black Angel b5.
Signature ID: 3365
Backdoor Breach 4.5
Threat Level: Severe
Signature Description: Backdoor Breach 4.5 is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely log keystrokes, edit files, run applications, change ports, etc. Aliases
include B.R.E.A.C.H., Backdoor.Breach, Backdoor.Prowler. Because protocol TCP port 420 was flagged as a virus,
Trojan or Virus has used this port 420 in the past to communicate.
Signature ID: 3368
Backdoor Breach Pro
Threat Level: Severe
Signature Description: Backdoor Breach Pro is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely log keystrokes, edit files, run applications, change ports, etc. Trojans
can be distributed as unsolicited email attachments, or bundled with freeware and shareware programs. Once executed
the server file runs in stealth mode and the server file melts away (is deleted) from its original location and then is
placed in c:\WINDOWS\Windll32.exe, and the universal password is used with the server, if once got changed then it
will not connect to the server. The universal password is "tramlaw".
Signature ID: 3369
Backdoor Buschtrommel 1.0
Threat Level: Severe
Signature Description: Backdoor Buschtrommel is a backdoor Trojan affecting Microsoft Windows operating systems.
It spreads by manual installation. When first executed, Buschtrommel copies the backdoor server to the Windows
System directory. It modifies the registry, so that the backdoor server runs whenever Windows starts up. The backdoor
server default opens TCP port 31745 on the victim machine. Buschtrommel can disable several anti-virus programs. A
remote attacker can use the Buschtrommel client to gain unauthorized access to the victim system. The attacker can
then perform such operations as, upload or download files, execute commands, restart Windows, control the mouse,
send e-mail messages, launch a denial of service attack, and perform an application redirect.
Signature ID: 3370
Backdoor Cafeini 0.8
Threat Level: Severe
Signature Description: Backdoor CAFEiNi is a backdoor Trojan written in Visual C++ that affects Microsoft Windows
operating systems. The backdoor uses a client/server relationship, where the server component is installed in the
victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port
80 or 51966 to allow the client system to connect. CAFEiNi could allow a remote attacker to gain unauthorized access
and gain complete control of the system. Aliases, Backdoor.Cafeini.08, Backdoor.Cafeini.09, Backdoor.Cafeini.10 and
Backdoor.Cafeini.11.
Signature ID: 3371
Backdoor Celine
Threat Level: Severe
Signature Description: Backdoor Celine is a backdoor Trojan written in BASIC that affects Microsoft Windows
operating systems. The backdoor uses a client/server relationship, where the server component is installed in the
victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port