TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
351
Signature ID: 3409
Backdoor One 0.1 (2) or Transcout
Threat Level: Severe
Signature Description: Backdoor One 0.1 is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,
executing commands, starting services, listing files, and uploading or downloading files.
Signature ID: 3410
Backdoor R0xr4t 1.0
Threat Level: Severe
Signature Description: This rule tries to detect Backdoor R0xr4t 1.0. This is a Trojan that opens up a backdoor
program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such
as changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
R0xr4t typically runs from the server files "C:\WINDOWS\RUNDLL666.EXE" and
"C:\WINDOWS\SYSTEM\RUNVXD32.EXE" over ports 5050, 60551 and 60552 via TCP
Signature ID: 3412
Remote Explorer Backdoor detection
Threat Level: Severe
Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a
computer, obtaining access to plain text, etc. while attempting to remain undetected. This signature detects the Remote
Explorer 1.0 Backdoor which infects Microsoft's windows family of operating systems. This is a Worm/backdoor
program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such
as changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
Remote Explorer typically runs from the server file "C:\WINDOWS\SYSTEM\WIN128.EXE" over TCP port 5632.
Signature ID: 3413
Backdoor Remote Explorer1.0 (2)
Threat Level: Information
Signature Description: Backdoor Remote Explorer is a Trojan that opens up a backdoor program. Once installed on a
system, it permits unauthorized users to remotely perform a variety of operations, such as changing the registry,
executing commands, starting services, listing files, and uploading or downloading files. Remote Explorer typically
runs from the server file "C:\WINDOWS\SYSTEM\WIN128.EXE" over ports 1026 and 2000 via both TCP and UDP.
Signature ID: 3415
Backdoor WinCrash 2.0
Threat Level: Severe
Signature Description: Backdoor WinCrash 2.0 is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely manage files, alter the user interface, extract passwords, crash the
system. Backdoor WinCrash has server and client parts. The server part should be installed on a remote system to have
access to it with a client part. The default name for the server part is SERVER.EXE and it is a standalone EXE
application. When the server part is run it installs itself to system, copies itself to \Windows\System directory with the
name of the file it was started from and modifies Windows Registry to be run during all further Windows sessions.
WinCrash typically runs from the server file "C:\WINDOWS\SERVER.EXE" over port 2583 via TCP.