[Snort-sigs] sid 145

Benjamin.Feinstein at ...399... Benjamin.Feinstein at ...399...
Fri Mar 1 14:31:04 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR
GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98;
sid:145;  classtype:misc-activity; rev:3;)
GirlFriend is a backdoor trojan that, once installed on the victim's
computer, enables an intruder to gain control of the infected system. Upon
infecting the victim's computer, the GirlFriend program starts a TCP
listener enabling backdoor access and periodically gathers passwords from
the system. Only Win32 systems are known to be vulnerable to this backdoor.
Potential information leakage and negative impact on system availability.
Detailed Information:
GirlFriend is credited to a hacker group calling themselves "General
Failure" and is believed to have been released in 1998. At least two
versions of GirlFriend (1.3 and 1.35) are know to be circulating in the
computer underground. To infect the victim's computer, the GirlFriend
program writes itself to the Windows directory and is renames itself to
"windll.exe".  The trojan also writes to string "Windll.exe=<windows
dir>\windll.exe" to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the
Windows registry. Once the backdoor is installed, the program will run each
time the victim restarts Windows. GirlFriend examines browser windows which
contain password fields. Passwords and other text entered into these windows
by the victim are written to HKEY_LOCAL_MACHINE\Software\Microsoft\General\
in the Windows registry. When connected to the GirlFriend backdoor server,
an attacker can request this password list on demand. Additionally, it is
believed that an attacker using GirlFriend may:
 - Send WinPopup messages to an infected system
 - Play WAV files on an infected system
 - Display bitmap files an infected system
 - Execute arbitrary content on an infected system
 - Open arbitrary URLs on an infected system
 - Modify the backdoor server port on an infected system
 - Scan a subnet for other infected systems
 - Copy the Windows password list from an infected system
 - Manage the file system on an infected system
 - Log users off of an infected system
 - Shutdown or reboot an infected system
 - Kill the server on an infected system, clearing the registry
modifications. The windll.exe will be left behind in the Windows directory
 - Display the username of the user currently logged in on an infected
 - Display the system time of an infected system
Attack Scenarios:
The trojan executable can be distributed by itself or may hidden within
another executable using a commonly available hacker tool. The GirlFriend
program may be disguised as a game or other program a user may be tempted to
run. The program may arrive via a common virus propagation vector, such as
an email attachment, file download, etc.
Ease of Attack:
Very easy, once the GirlFriend trojan has been installed on the victim's
False Positives:
This signature may be triggered by innocuous traffic to port 21554.
False Negatives:
While the GirlFriend program uses the default TCP listener port of 21554 on
the infected machine, the program offers the ability to change this port.
Additionally, variants of the GirlFriend trojan may be circulating that use
a different default port. It is believed that TCP port 21544 may also used
by the GirlFriend program.
Corrective Action:
Removal requires manual modification of the Windows registry. Using regedit
or the registry editor of your choice, remove the Windll.exe key from
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Reboot the
computer or terminate Windll.exe. Delete windll.exe from the Windows
Ben Feinstein <Ben.Feinstein at ...399...>
Additional References:

More information about the Snort-sigs mailing list