TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
649
Signature ID: 29208
Trojan Sicklebot
Threat Level: Warning
Signature Description: Machines infected by SickleBot will attempt to connect to a web server controlled by the
attacker in order to receive commands to perform the desired action. The infected machine, along with other infected
computers connected to the web server form a botnet, which attackers use to perform DDoS attacks on desired servers.
Signature ID: 29209
Trojan ICMP Tunnel
Threat Level: Warning
Signature Description: Trojan ICMP Tunnel steals sensitive information and sends to the attacker via ICMP packets.
Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object
(BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is
entered by the user, it is captured by the BHO and sent back to the attacker.
Signature ID: 29210
Trojan Torpig-R
Threat Level: Warning
Signature Description: Trojan Torpig-R is a password stealing Trojan for the Windows platform. When Troj/Torpig-R
runs, some or all of the trojon related files are created either in the folder C:\Program Files\Common Files\Microsoft
Shared\Web or in the folder <System>\..\temp:. Most of the created file names starts with "ibm". It also creates registry
entry to run at startup. The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to
text files and periodically sends the collected information to a remote user via HTTP. Trojan Torpig-R may download
and run additional files from a remote site. Configuration files may also be downloaded which define further behaviors.
Torpig-R automatically closes security warning messages displayed by common anti-virus and security related
applications. This rule will trigger when an attacker send 'x25.php' file.
Signature ID: 29211
Trojan Torpig-R
Threat Level: Warning
Signature Description: This event get hits when an attacker send 'wur8.php' file. Trojan Torpig-R is a password
stealing Trojan for the Windows platform. When Troj/Torpig-R runs, some or all of the trojon related files are created
either in the folder C:\Program Files\Common Files\Microsoft Shared\Web or in the folder <System>\..\temp:. Most of
the created file names starts with "ibm". It also creates registry entry to run at startup. The Trojan attempts to steal
passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected
information to a remote user via HTTP. Trojan Torpig-R may download and run additional files from a remote site.
Configuration files may also be downloaded which define further behaviors. Torpig-R automatically closes security
warning messages displayed by common anti-virus and security related applications.
Signature ID: 29212
Trojan W32Agent.dsi Vulnerability
Threat Level: Warning
Signature Description: Trojan W32.Agent.dsi is a downloader trojan horse. This may be installed when visiting
malicious websites posing as a plug-in for Internet Explorer to enhance it's features. Upon execution it registers itself at
an Apache webserver and downloads data from this server. Then creates files containing domain names and connects to
whois servers of several registries to query the domain names from the file and downloads new data from these sites.
This rule detects the attack pattern "/getgewinnspiel?uid=" which is send to the external server.