[Snort-sigs] sig info for database DonaldDick 1.53 Traffic

gdippold at ...47... gdippold at ...47...
Wed Jun 12 09:15:09 EDT 2002

Hash: SHA1

Name:  Donald Dick

Aliases:  DonaldD, Backdoor.DonaldDick

Ports:  23476, 23476 (UDP), 23477 (ports can be changed) (examples: 666, 22222, 32001, 34444 in FAQ)

Files:  Dd152.zip - 365,865 bytes Dd152.zip - 408,138 bytes Dd153.zip - 431,704 bytes Dd154.zip - 502,468 bytes Dd155.zip - 186,179 bytes Dds152.zip - 134,543 bytes Dds153.zip - 160,655 bytes Ddcg152.zip - 273,210 bytes Ddcg153.zip - 276,330 bytes Ddcg154.zip - 278,297 bytes Ddc153.zip - 15,470 bytes Ddc152.exe - Ddc153.exe - 12,288 bytes Client.exe - 16,896 bytes Dds152.exe - 243,712 bytes Ddcg152.exe - 655,872 bytes Ddcg153.exe - 662,528 bytes Ddcw.exe - 667,648 bytes Ddsetup.exe - 293,888 bytes Ddsetup.exe - 330,240 bytes Ddsetup.exe - 333,312 bytes Ddsetup.ini - 4,486 bytes Ddsfind.exe - 8,192 bytes Client.exe - 17,920 bytes Ddick.exe - Ddick.exe - Ddick.ini - 54 bytes Ddick.ini - 56 bytes Vmldir.vxd - Intld.vxd - Bootexec.exe - Oleproc.exe - Pnpmgr.pci - Pmss.exe - Jpegcomp.dll - 79,360 bytes
ddsetup.exe generates server installable file ddick.exe (unique each time).
oleproc.exe - main executable file
pnpmgr.pci - executable file under Windows95/98
pmss.exe - executable file under WindowsNT
vmldr.vxd - Dick loader and thread manager for Windows95/98
bootexec.exe - Dick loader for WindowsNT
jpegcomp.dll - JPEG compressor (full version only)

Created:  Mar 1999

Requires:  N/A

Actions:  Remote Access / Novell NetWare trojan

 Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.

Versions:  1.52, 1.53, 1.53a1, 1.53a2, 1.53a3, 1.53a4, 1.54, 1.55

Registers:  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VMLDIR\ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\

Donald dick
Donald dick is a pretty widespread Russian trojan . It has a lot of features and is very dangerous . Most virus scanners don't pick it up either .
Here is how to remove the server :
Click Start, and go to Run. In the box, type regedit and click OK.
When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:
At the end, click on 'VMLDIR' once, and the right hand panel should change.
Look on the right hand side for the key:
StaticVxD = "vmldir.vxd"
In the LEFT panel, right click on VMLDIR, and choose delete. This should remove the whole folder from the VxD section.
Close regedit and reboot your PC.
Do go away yet, your only half done. After you reboot, you still need to delete the trojan program itself.
The trojan is at C:\WINDOWS\System\vmldir.vxd and can be deleted through Windows Explorer, or simply by going into My Computer, C:, and Windows. Once you find the file, right click on it and choose Delete. Then empty your recycling bin.

Removal v1.54 - 1.55
This versions default settings use a different filename than above.
All directions are the same, however replace 'vmldir' with 'intld' for both the filename (intld.vdx) and the registry path.
Notes:  Works on Windows 95, 98 and NT. Runs TCP/IP as well as on IPX/SPX. Extremly well written Read Me-files. Uses MD5 encryption. Default password = dick. � Source code is available.

Country:  written in Russia

Program:  Written in Visual C++.

Created: September 19, 1999

Modified: April 07, 2001

Variants: 17
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

More information about the Snort-sigs mailing list