TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
647
26,112 bytes. Upon execution, copies itself to system directory and creates some registry entries. Dumador.IK will
attempt to send keystrokes, and other sensitive information back to the virus author. This backdoor will specifically
target the Windows clipboard, and the protected storage area of the registry, which contains auto-complete data for IE.
Also, Dumador.IK attempts to steal information from browser Windows with specific strings in their title like "gold",
"money", etc.,
Signature ID: 29197
Elite Keylogger is Running
Threat Level: Warning
Signature Description: Elite keylogger is a keylogger that can be installed in stealth mode without user's notice. It logs
keystrokes entered into Internet Explorer and saves the information for later retrieval. It transmits the collected key log
information to the Elite keylogger author using SMTP mail or other methods over the Internet. This rule hits when an
attempt is made to transfer kelogging information via an email.
Signature ID: 29198
Elite Keylogger
Threat Level: Warning
Signature Description: Elite keylogger is a keylogger that can be installed in stealth mode without user's notice. It logs
keystrokes entered into Internet Explorer and saves the information for later retrieval. It transmits the collected key log
information to the Elite keylogger author using SMTP mail or other methods over the Internet.
Signature ID: 29199
TROJAN Goldun Reporting User Activity
Threat Level: Warning
Signature Description: Trojan.Goldun is a Trojan horse program that steals user's authentication for e-gold. Upon
execution it installs some files in root directory and registers itself as a service to become active at startup. This trojan
modifies system32/drivers/etc/hosts file and opens TCP port 4040 to provide backdoor capabilities. It contacts a remote
server via http by making use of a php script and transports collected user authentication information.
Signature ID: 29200
Trojan Goldun
Threat Level: Warning
Signature Description: Trojan.Goldun is a Trojan horse program that steals user's authentication for e-gold. Upon
execution it installs some files in root directory and registers itself as a service to become active at startup. Modifies
system32/drivers/etc/hosts file and opens TCP port 4040 to provide backdoor capabilities. Contacts a remote server via
http by making use of a php script.
Signature ID: 29201
Trojan Haxdoor
Threat Level: Warning
Signature Description: Upon execution, this backdoor opens random ports where it listens for incoming commands
from a remote malicious user. It also attempts to steal certain information, which it sends to a remote malicious user via
email. It creates registry keys to registers itself as a service and to allow itself to execute even when an affected system
is running in safe mode. This signature detects when packet contains pattern 'bsrv.php' and 'MSIE'.
Signature ID: 29202
Trojan Haxdoor
Threat Level: Warning
Signature Description: This rule will trigger when packet contains pattern '.php?param'. Upon execution, this backdoor