[Snort-sigs] oops! sent my notes: Donald Dick

gdippold at ...47... gdippold at ...47...
Wed Jun 12 09:29:02 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: BACKDOOR DonaldDick 1.53 Traffic  

--
Sid: 153

--
Summary:  Donald Dick is a russian developed and maintained feature rich trojan horse with many variants.

--
Impact:  The presence of this program on your network is a serious security incident.

--
Detailed Information:  

Versions:  1.52, 1.53, 1.53a1, 1.53a2, 1.53a3, 1.53a4, 1.54, 1.55 source code available.

Works on Windows 95, 98 and NT( Requires write access to the registry). Runs TCP/IP as well as on IPX/SPX.

Ports: 23476, 23476 (UDP) 23477. Can be changed.

Files:  Dd152.zip - 365,865 bytes Dd152.zip - 408,138 bytes Dd153.zip - 431,704 bytes Dd154.zip - 502,468 bytes Dd155.zip - 186,179 bytes Dds152.zip - 134,543 bytes Dds153.zip - 160,655 bytes Ddcg152.zip - 273,210 bytes Ddcg153.zip - 276,330 bytes Ddcg154.zip - 278,297 bytes Ddc153.zip - 15,470 bytes Ddc152.exe - Ddc153.exe - 12,288 bytes Client.exe - 16,896 bytes Dds152.exe - 243,712 bytes Ddcg152.exe - 655,872 bytes Ddcg153.exe - 662,528 bytes Ddcw.exe - 667,648 bytes Ddsetup.exe - 293,888 bytes Ddsetup.exe - 330,240 bytes Ddsetup.exe - 333,312 bytes Ddsetup.ini - 4,486 bytes Ddsfind.exe - 8,192 bytes Client.exe - 17,920 bytes Ddick.exe - Ddick.exe - Ddick.ini - 54 bytes Ddick.ini - 56 bytes Vmldir.vxd - Intld.vxd - Bootexec.exe - Oleproc.exe - Pnpmgr.pci - Pmss.exe - Jpegcomp.dll - 79,360 bytes 

ddsetup.exe generates server installable file ddick.exe.
oleproc.exe - main executable file.
pnpmgr.pci - executable file under Windows95/98.
pmss.exe - executable file under WindowsNT.
vmldr.vxd - loader and thread manager for Windows95/98.
Intld.vxd - loader and thread manager (version 1.54 1.55)
bootexec.exe - loader for WindowsNT 
jpegcomp.dll - JPEG compressor - full version only)
--
Attack Scenarios:

--
Ease of Attack:  Once installed the program can be run by anyone that can operate a GUI.

--
False Positives:

--
False Negatives:

--
Corrective Action:

Start Regedit on the compromised machine.
Go to HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
In left panel right click on VMLDIR and select delete
Close regedit and reboot PC, the trojan itself will be removed next.
After reboot delete the file C:\WINDOWS\System\vmldir.vxd and remove from the recycle bin.

For versions 1.54 1.55

Replace vlmdir.vxd with Intld.vxd. This includes the registry path not just the file name.

--
Contributors:  Gregg Dippold gdippold at ...47...

-- 
Additional References:  http://donalddick.da.ru/


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople





More information about the Snort-sigs mailing list