HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects an HTTP message containing patterns exhibited by the Pushdo trojan.
High
Proventia Network IPS: XPU 30.010, Proventia Desktop: 2470, RealSecure Network: XPU 30.010, RealSecure Server Sensor: XPU 30.010, Proventia-G 1.1 and earlier: XPU 30.010, Proventia Network IDS: XPU 30.010, Proventia Network MFS: XPU 30.010, IBM Security Server Protection for Windows: 2.0.300.2470, IBM Security Server Protection for Windows: 1.0.914.2470, IBM Security Server Protection for Windows: 2.1.14.2470, Virtual Server Protection for Vmware: XPU 30.010, Proventia Server IPS for Linux technology: 30.010
Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server, Microsoft Windows Vista, Microsoft Windows NT, Microsoft Windows Server 2008
Suspicious Activity
The Pushdo worm is a trojan horse that arrives via a malicious web site visited by the host computer. The worm is used to steal information and launch DDoS attacks against other computers, as well as updates itself through a remote server.
Use an up-to-date antivirus application to determine if the victim's computer is infected by Pushdo. If the application detects the malware, follow its instructions to disinfect and repair the computer.
IBM Internet Security Systems Protection Alert
Pushdo SSL DDoS Attacks
http://www.iss.net/threats/pushdoSSLDDoS.html
ISS X-Force
Pushdo Worm Detected
http://www.iss.net/security_center/static/54670.php