TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

641

642

643

644

645

646

647

648

649

650

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

648

opens random ports where it listens for incoming commands from a remote malicious user. It also attempts to steal

certain information, which it sends to a remote malicious user via email. It creates registry keys to registers itself as a

service and to allow itself to execute even when an affected system is running in safe mode.

Signature ID: 29203

Trojan Orderjack

Threat Level: Warning

Signature Description: Trojan Orderjack affets Windows platforms. It copies itself to the location

%home%\order_%four-digit random character string%.exe and deletes the initially executed copy of itself. This trojan

tries to download a program from remote servers via http and the downloaded program tries to steal the information

while user is visiting financial websites.

Signature ID: 29204

Trojan PWS-LDPinch

Threat Level: Warning

Signature Description: This is a password stealing trojan designed to email the encoded local passwords to the trojan

author. When the trojan dropper is executed, it drops the password stealer in the Windows directory. Some variants

create a text file in the Windows Temp directory as 1.txt. After that, the password stealer contacts an SMTP server

(hard-coded within the file) and mails the encoded passwords found on the system to the trojan author's email address.

Signature ID: 29205

Trojan PWS Banker.B

Threat Level: Warning

Signature Description: Trojan PWS Banker.B is a Trojan horse that attempts to steal financial information. It also has a

limited backdoor functionality. Upon execution it registers itself as a service to become active at startup. While this

trojan service is running, it attempts to scan title bars of all the open Web browser windows for banking or money

references. If it finds any references, it will capture all the information from these windows, such as the details entered

into documents or Web forms, and uploads it to a remote Web site.

Signature ID: 29206

Trojan PassSickle

Threat Level: Warning

Signature Description: Trojan PassSickle is a Trojan horse that steals passwords and logs keystrokes of the user

machine when user is has an active sessions with certain financial Web sites. Upon execution, it registers itself as a

service to become active at startup. PassSickle Trojan scans title bars of all open Web browser windows for banking or

money references. If it finds any references, it will capture all the information from these windows, such as the details

entered into documents or Web forms, and uploads it to a remote Web site.

Signature ID: 29207

Trojan Ranck-CX

Threat Level: Warning

Signature Description: Trojan Ranck-CX is a backdoor proxy Trojan, which allows a remote intruder to gain access

and control over the computer. Once installed, Troj/Ranck-CX sets up a UDP socket connection and listens on port

17180. Upon receiving command from a remote attacker, the Trojan will act as a proxy and redirect net traffic by

attempting to access remote addresses via opening a UDP socket connection at port 20192.