TROJAN: Doly Initial Server Response 2.0

This signature detects the message "Wtzup User" within a server response sent from local TCP port 6789 to a remote port. This can indicate the system is responding to an attacker attempting to use the Trojan Doly to remotely control the system. Doly, a remote administration Trojan similar to Back Orifice, allows attackers to access data and gain control over some functions on remote Microsoft Windows systems.

Extended Description

Doly is a remote administration tool. It enables remote attackers to gain control over an infected system

References

CVE: CVE-1999-0660

URL: http://www.juniper.net/security/auto/vulnerabilities/vuln532.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.doly.html http://www.pestpatrol.com/PestInfo/D/Doly_Trojan.asp

Short Name

TROJAN:DOLY:SERVER-RES-V2

Severity

Major

Recommended

False

Recommended Action

Drop

TROJAN: Doly Initial Server Response 2.0

Extended Description

References

Found a potential security threat?