TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
352
Signature ID: 3416
Backdoor WinCrash 2.0 (2)
Threat Level: Information
Signature Description: Backdoor WinCrash 2.0 is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely manage files, alter the user interface, extract passwords, crash the
system. Backdoor WinCrash has server and client parts. The server part should be installed on a remote system to have
access to it with a client part. The default name for the server part is SERVER.EXE and it is a standalone EXE
application. When the server part is run it installs itself to system, copies itself to \Windows\System directory with the
name of the file it was started from and modifies Windows Registry to be run during all further Windows sessions.
WinCrash typically runs from the server file "C:\WINDOWS\SERVER.EXE" over port 2406 via TCP.
Signature ID: 3418
Backdoor Y3K RAT 1.6
Threat Level: Severe
Signature Description: Backdoor Y3K RAT 1.6 is a Trojan that opens up a backdoor program that, once installed on a
system, permits unauthorized users to remotely perform a variety of operations, which controls a remote computer.
Features overclock CPU, destroy system.ini, info, msg, explorer, windows, passwords, restart, keylogger, FTP server,
password, notify. It can also in certain circumstances allow for the complete destruction of the user's hard drive which
renders the user's computer useless. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over
ports 5882, 5888, and 5889 via TCP.
Signature ID: 3419
BackDoor CGI Bionet 2.6.1a
Threat Level: Severe
Signature Description: Backdoor CGi BioNet 2.6.1a is a Trojan that opens up a backdoor program that, once installed
on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry,
executing commands, starting services, listing files, and uploading or downloading files. It is a remote administration
tool and Trojan horse targeting a vulnerability common to most Microsoft Windows operating systems. Bionet is built
using the client-server model. The client portion is used by the attacker to control the Bionet server. The server portion,
which executes commands issued by the Bionet client, is highly configurable, and is usually installed on a victim
computer along with a dynamically linked library that allows the attacker to download and run Windows plug-ins.
Signature ID: 3420
BackDoor Nirvana 1.95/1.99
Threat Level: Severe
Signature Description: This rule tries to detect Backdoor Nirvana. Backdoor Nirvana 1.95/1.99 is a Trojan that opens
up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of
operations, such as changing the registry, executing commands, starting services, listing files, and uploading or
downloading files. It is vulnerable to Microsoft Windows operating systems. Once the Nirvana server is launched, it
copies itself to the Windows Fonts directory as Arial.exe. It monitors Transmission Control Protocol (TCP) port 2255
for an incoming connection. Registry auto-run keys are added so that the Trojan server part is executed whenever
Windows starts. Through the Nirvana client, an attacker could perform malicious actions including transfer files and
format the hard drive.
Signature ID: 3421
BackDoor Olive
Threat Level: Severe
Signature Description: This rule tries to detect Backdoor Olive. Backdoor Olive 2.4 is a trojan that opens up a