GEN:SID 1:2182
Message BACKDOOR typot trojan traffic
Summary This event is generated when activity generated by the Linux Trojan Typot is detected.
Impact Increased network traffic leading to bandwidth consumption.
Detailed Information Current information based on binary analysis of the Typot Trojan shows that network traffic is generated with a TCP window size of 55808 bytes. Whilst this Trojan does not appear to contain any malicious payload it will generate spurious network scanning activity. The source IP address for the scanning activity is spoofed.

When a host becomes infected a file named "r" is created in the same directory the binary was executed from. The Trojan then begins generating network traffic as described above. An infected victim host may have a file named "a" in the /tmp directory. After an unspecified time period the Trojan itself may attempt to connect to an external IP address using Secure Shell (ssh) for communication. If this communication is succesful, the "a" file may be deleted.

The Trojan may also use the libpcap and libnet libraries to generate network traffic.
Affected Systems Linux
Attack Scenarios An attacker may have installed the Trojan after a previous system compromise.
Ease of Attack Simple.  
Corrective Action Investigate the affected host for signs of system compromise.

Delete the files "r" and "a" if found.
Additional References Symantec
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html

e-week
http://www.eweek.com/article2/0,3959,1130759,00.asp

Intrusec
http://www.intrusec.com/55808.html
Rule References mcafee: 100406