[Snort-sigs] (no subject)

Gregg Dippold gdippold at ...433...
Fri Apr 19 18:05:29 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: BACKDOOR DonaldDick 1.53 Traffic  

--
Sid: 153

--
Summary:  Donald Dick is a russian developed and maintained feature rich
trojan horse with many 

variants.

--
Impact:  The presence of this program on your network is a serious security
incident.

--
Detailed Information:  

Versions:  1.52, 1.53, 1.53a1, 1.53a2, 1.53a3, 1.53a4, 1.54, 1.55 source
code available.

Works on Windows 95, 98 and NT( Requires write access to the registry). Runs
TCP/IP as well as on 

IPX/SPX.

Ports: 23476, 23476 (UDP) 23477. Can be changed.

Files:  Dd152.zip - 365,865 bytes Dd152.zip - 408,138 bytes Dd153.zip -
431,704 bytes Dd154.zip - 

502,468 bytes Dd155.zip - 186,179 bytes Dds152.zip - 134,543 bytes
Dds153.zip - 160,655 bytes 

Ddcg152.zip - 273,210 bytes Ddcg153.zip - 276,330 bytes Ddcg154.zip -
278,297 bytes Ddc153.zip - 15,470 

bytes Ddc152.exe - Ddc153.exe - 12,288 bytes Client.exe - 16,896 bytes
Dds152.exe - 243,712 bytes 

Ddcg152.exe - 655,872 bytes Ddcg153.exe - 662,528 bytes Ddcw.exe - 667,648
bytes Ddsetup.exe - 293,888 

bytes Ddsetup.exe - 330,240 bytes Ddsetup.exe - 333,312 bytes Ddsetup.ini -
4,486 bytes Ddsfind.exe - 

8,192 bytes Client.exe - 17,920 bytes Ddick.exe - Ddick.exe - Ddick.ini - 54
bytes Ddick.ini - 56 bytes 

Vmldir.vxd - Intld.vxd - Bootexec.exe - Oleproc.exe - Pnpmgr.pci - Pmss.exe
- Jpegcomp.dll - 79,360 

bytes 

ddsetup.exe generates server installable file ddick.exe.
oleproc.exe - main executable file.
pnpmgr.pci - executable file under Windows95/98.
pmss.exe - executable file under WindowsNT.
vmldr.vxd - loader and thread manager for Windows95/98.
Intld.vxd - loader and thread manager (version 1.54 1.55)
bootexec.exe - loader for WindowsNT 
jpegcomp.dll - JPEG compressor - full version only)
--
Attack Scenarios:

--
Ease of Attack:  Once installed the program can be run by anyone that can
operate a GUI.

--
False Positives:

--
False Negatives:

--
Corrective Action:

Start Regedit on the compromised machine.
Go to HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
In left panel right click on VMLDIR and select delete
Close regedit and reboot PC, the trojan itself will be removed next.
After reboot delete the file C:\WINDOWS\System\vmldir.vxd and remove from
the recycle bin.

For versions 1.54 1.55

Replace vlmdir.vxd with Intld.vxd. This includes the registry path not just
the file name.

--
Contributors:  Gregg Dippold gdippold at ...433...

-- 
Additional References:  http://donalddick.da.ru/

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list