[Snort-sigs] oops! sent my notes: Donald Dick
gdippold at ...47...
gdippold at ...47...
Wed Jun 12 09:29:02 EDT 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: BACKDOOR DonaldDick 1.53 Traffic
Summary: Donald Dick is a russian developed and maintained feature rich trojan horse with many variants.
Impact: The presence of this program on your network is a serious security incident.
Versions: 1.52, 1.53, 1.53a1, 1.53a2, 1.53a3, 1.53a4, 1.54, 1.55 source code available.
Works on Windows 95, 98 and NT( Requires write access to the registry). Runs TCP/IP as well as on IPX/SPX.
Ports: 23476, 23476 (UDP) 23477. Can be changed.
Files: Dd152.zip - 365,865 bytes Dd152.zip - 408,138 bytes Dd153.zip - 431,704 bytes Dd154.zip - 502,468 bytes Dd155.zip - 186,179 bytes Dds152.zip - 134,543 bytes Dds153.zip - 160,655 bytes Ddcg152.zip - 273,210 bytes Ddcg153.zip - 276,330 bytes Ddcg154.zip - 278,297 bytes Ddc153.zip - 15,470 bytes Ddc152.exe - Ddc153.exe - 12,288 bytes Client.exe - 16,896 bytes Dds152.exe - 243,712 bytes Ddcg152.exe - 655,872 bytes Ddcg153.exe - 662,528 bytes Ddcw.exe - 667,648 bytes Ddsetup.exe - 293,888 bytes Ddsetup.exe - 330,240 bytes Ddsetup.exe - 333,312 bytes Ddsetup.ini - 4,486 bytes Ddsfind.exe - 8,192 bytes Client.exe - 17,920 bytes Ddick.exe - Ddick.exe - Ddick.ini - 54 bytes Ddick.ini - 56 bytes Vmldir.vxd - Intld.vxd - Bootexec.exe - Oleproc.exe - Pnpmgr.pci - Pmss.exe - Jpegcomp.dll - 79,360 bytes
ddsetup.exe generates server installable file ddick.exe.
oleproc.exe - main executable file.
pnpmgr.pci - executable file under Windows95/98.
pmss.exe - executable file under WindowsNT.
vmldr.vxd - loader and thread manager for Windows95/98.
Intld.vxd - loader and thread manager (version 1.54 1.55)
bootexec.exe - loader for WindowsNT
jpegcomp.dll - JPEG compressor - full version only)
Ease of Attack: Once installed the program can be run by anyone that can operate a GUI.
Start Regedit on the compromised machine.
Go to HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
In left panel right click on VMLDIR and select delete
Close regedit and reboot PC, the trojan itself will be removed next.
After reboot delete the file C:\WINDOWS\System\vmldir.vxd and remove from the recycle bin.
For versions 1.54 1.55
Replace vlmdir.vxd with Intld.vxd. This includes the registry path not just the file name.
Contributors: Gregg Dippold gdippold at ...47...
Additional References: http://donalddick.da.ru/
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
More information about the Snort-sigs