Signature Detail

TROJAN: Doly Initial Server Response 2.0

This signature detects the message "Wtzup User" within a server response sent from local TCP port 6789 to a remote port. This can indicate the system is responding to an attacker attempting to use the Trojan Doly to remotely control the system. Doly, a remote administration Trojan similar to Back Orifice, allows attackers to access data and gain control over some functions on remote Microsoft Windows systems.

Extended Description

Doly is a remote administration tool. It enables remote attackers to gain control over an infected system

References

• CVE: CVE-1999-0660
• URL: http://www.juniper.net/security/auto/vulnerabilities/vuln532.html
• URL: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.doly.html
• URL: http://www.pestpatrol.com/PestInfo/D/Doly_Trojan.asp