Signature Detail

TROJAN: NetSphere Server Response (TCP/30101-30103)

This signature detects TCP packets sent from local server port 30101-30103 to a remote port. This can indicate the system is responding to an attacker to confirm successful installation of the Trojan NetSphere v1.31.337. NetSphere, a remote administration Trojan, allows attackers to access data and gain control over some functions on remote Microsoft Windows systems.

Extended Description

NetSphere is a Trojan that enables remote attackers to perform dangerous actions on an infected system, such as accessing and manipulating the file system.

References

• CVE: CVE-1999-0660
• URL: http://www.iss.net/security_center/advice/Phauna/RATs/programs/NetSphere/default.htm
• URL: http://www.glocksoft.com/trojan_list/NetSphere.htm
• URL: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075686