[Snort-sigs] SID 104

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Feb 28 08:25:06 EST 2002

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR -
Dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00
00|Connect"; depth: 16; reference:arachnids,483; sid:104; classtype:misc-activity;

The client activity for a  Windows backdoor program which places a TCP server on
port 2589. This server allows the attacker to connect with a client and do a
variety of tasks as if he was an authorized user.

The attacker can use the machine as he sees fit, and could potentially use the
machine in a  DDOS scheme, or as a platform for additional attacks.

Detailed Information:
The backdoor affects Windows 95/98 machines. When infected, the backdoor opens a
TCP port and allows a client connection. The client can then manipulate, download,
or upload  files, restart or shutdown the computer, communicate with the current
user as well as initiate system tasks. The Backdoor program itself can be located
as a file named "Manager.exe". There is also a registry entry under
"[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices] " and another under
"[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]", with a value of

This signature is evidence of an actuall client connection to that backdoor.

Attack Scenarios:

With this backdoor, and attacker could browse files on the PC, gathering
information for further compromises of a network, or sensitive company data.  The
attacker could also use the platform for further attacks, on your network, or as a
jump point for attacks on other networks. More seriously, the backdoor could be
used to load DDOS software, and later controlled by IRC to use your bandwidth in
an attack against a larger target.  This backdoor can be loaded in a variety of
ways, and like other backdoors, is most often attached to the back of an
executable program or image.

Ease of Attack:


As long as the backdoor exists on the target machine.

False Positives:

False Negatives:

Corrective Action:

Edit the registry to remove the Backdoor registry entries, and search for and
remove the program file, Manager.exe. See virus pages for more information.
Christopher Lubrecht <chris_lubrecht at ...382...>
Additional References:

http://www.tlsecurity.net/backdoor/Dagger.1.4.html  (packet captures and screen
shots of the client)

arachNIDS 483



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list