GEN:SID 1:145
Message BACKDOOR GirlFriendaccess
Summary Girlfriend is a Trojan Horse.
Impact Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine.
Detailed Information This Trojan affects the following operating systems:

    Windows 95
    Windows 98
    Windows ME
    Windows NT
    Windows 2000
    Windows XP

No other systems are affected. This is a windows exceutable that makes changes to the system registry. When first executed the Trojan replicates itself and in most cases, gives the copy the name Windll.exe. This file is located in the <drive>:\windows\ directory.

The Trojan server opens port 21554 by default. This port may be changed by the attacker's client after initial connection.

    SID    Message
    ---    -------
    145    GirlFriendaccess
Affected Systems  
Attack Scenarios This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
Ease of Attack This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan.
Corrective Action Edit the system registry to remove the extra keys or restore a previously known good copy of the registry.

Affected registry keys are:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Registry keys added:

    Windll.exe

Removal of the file Windll.exe is required. Also end the process Windll.exe.

A machine reboot may be required to clear the existing process from running in memory.
Additional References Whitehats arachNIDS
http://www.whitehats.com/info/IDS98

Dark-e
http://www.dark-e.com/archive/trojans/girl/135/index.shtml

NTSecurity.net
http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=400
Rule References arachnids: 98