[Snort-sigs] SID 105

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Feb 28 07:57:13 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0";
flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16;
reference:arachnids,484; sid:105; classtype:misc-activity; rev:3;)

A Windows backdoor program which places a TCP server on port 2589. This server
allows the attacker to connect with a client and do a variety of tasks as if he
was an authorized user.

The attacker can use the machine as he sees fit, and could potentially use the
machine in a  DDOS scheme, or as a platform for additional attacks.

Detailed Information:
The backdoor affects Windows 95/98 machines. When infected, the backdoor opens a
TCP port and allows a client connection. The client can then manipulate, download,
or upload  files, restart or shutdown the computer, communicate with the current
user as well as initiate system tasks. The Backdoor program itself can be located
as a file named "Manager.exe". There is also a registry entry under
"[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices] " and another under
"[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]", with a value of

Attack Scenarios:

With this backdoor, and attacker could browse files on the PC, gathering
information for further compromises of a network, or sensitive company data.  The
attacker could also use the platform for further attacks, on your network, or as a
jump point for attacks on other networks. More seriously, the backdoor could be
used to load DDOS software, and later controlled by IRC to use your bandwidth in
an attack against a larger target.  This backdoor can be loaded in a variety of
ways, and like other backdoors, is most often attached to the back of an
executable program or image.

Ease of Attack:

Easy. The attacker simply gets the program onto a machine, (through methods such
as newsgroup binary files), and then scans for infected machines. Individual
targets are also possible.

False Positives:

False Negatives:

Corrective Action:

Edit the registry to remove the registry entries, and search for and remove the
program file, Manager.exe. See virus pages for more information.
Christopher Lubrecht <chris_lubrecht at ...382...>
Additional References:

http://www.tlsecurity.net/backdoor/Dagger.1.4.html  (packet captures and screen
shots of the client)

arachNIDS 484



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list