[Snort-sigs] (no subject)
leonardo at ...530...
Fri Apr 19 18:05:04 EDT 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145; classtype:misc-activity; rev:3)
Efective connection on a trojan server running on a Microsoft Windows workstation in your internal network.
The attacker may send messages, execute remote comands, eavesdrop text boxes and
manipulate files. It's speciality is an offline password logger.
This backdoor usually drops the WINDLL.EXE in your Windows directory. Than it updates the registry including
the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINDLL.EXE = "C:\WINDOWS\WINDLL>EXE
The trojan stays resident in memory as a service process until next boot. Though it is invisible in
Microsoft Windows 9x series.
This trojan infects Microsoft Windows systems.
Ease of Attack:
The user has to execute the malicious code on the local machine. Once installed the client
easily connect to the trojan server.
Conection to a webserver in a non-standard port (for example 8080) that serves a object that contains the
word girl and happens to use the client port 21554 by chance.
The rule expects the "Girl" string in the data stream and the conection established on the port 21554. Modified version
could open other port or exchange different stream of data. None reported until now.
Boot the infected machine. The trojan will not be active in the next boot. Scan the disk with
your prefered antivirus software with a update pattern.
More information about the Snort-sigs