TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

621

622

623

624

625

626

627

628

629

630

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

623

process is loaded it will inject the created dll into explorer.exe as a thread and as a module. Finally it creates the

registry entry so that it becomes active at each startup. This signature triggers for INbound malformed packets.

Signature ID: 29045

Fireby Proxy Trojan

Threat Level: Warning

Signature Description: Fireby Proxy trojan is a back door server program that allows a remote attacker to have

unauthorized access to the compromised computer. It comes with a variety of file names and upon execution it creates a

registry entry so that it will be active at startup. Listens on a random TCP port and runs as a proxy server waiting for

connections from the remote client. Sends the IP address of the compromised computer and the number of the open

TCP port to a Web site on the preconfigured domain on TCP port 10102

Signature ID: 29046

Hacker Defender

Threat Level: Information

Signature Description: Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP. Main idea of

this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all

running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake

code which will check API results and change this result in specific cases. Program is absolutely hidden for all others.

Program installs hidden backdoors and register as hidden system service

Signature ID: 29047

Trojan Hotword

Threat Level: Information

Signature Description: Trojan Hotword is a keylogger that logs keystrokes entered into Internet Explorer and saves the

information for later retrieval or sends notification and the information to the author using SMTP mail or other methods

over the Internet. Trojan.Hotword could allow a remote attacker to gain unauthorized access to the system. It is also a

backdoor Trojan that uses a client/server relationship, where the server component is installed in the victim's system

and the remote attacker has control of the client.

Signature ID: 29048

Hotword Trojan Possible File Upload CHJO

Threat Level: Information

Signature Description: This rule hits when the packet content contains "STOR_". Trojan Hotword is a keylogger that

logs keystrokes entered into Internet Explorer and saves the information for later retrieval or sends notification and the

information to the author using SMTP mail or other methods over the Internet. Trojan.Hotword could allow a remote

attacker to gain unauthorized access to the system. It is also a backdoor Trojan that uses a client/server relationship,

where the server component is installed in the victim's system and the remote attacker has control of the client.

Signature ID: 29049

Hotword Trojan Possible File Upload CFXP

Threat Level: Information

Signature Description: This rule hits when packet contains "STOR_" and "CFXP.DRV". Trojan Hotword is a

keylogger that logs keystrokes entered into Internet Explorer and saves the information for later retrieval or sends

notification and the information to the author using SMTP mail or other methods over the Internet. Trojan.Hotword

could allow a remote attacker to gain unauthorized access to the system. It is also a backdoor Trojan that uses a

client/server relationship, where the server component is installed in the victim's system and the remote attacker has

control of the client.