[Snort-sigs] SID 119

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Mar 7 19:32:03 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access";
content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32;
reference:arachnids,312; sid:119; classtype:misc-activity; rev:3;)
The Doly 2.0 backdoor is a remote access trojan which allows the attacker to
control a variety of functions on a Windows 95/98/NT machine. These functions
range from information gathering, to machine control to a variety of minor
As with any remote access trojans, the impact can be minor to very severe. A
compromised host can be used to further compromise a network, used in a DDOS
scheme, or be used as a launch point for further compromise attacks.
Detailed Information:
The Doly 2.0 trojan was last released in Beta only.  It does not infect machines
on its own, and needs to be merged with another executable, or installed via
social engineering or host compromise.  There are features which require an
additional DLL file, which would need to be uploaded separately. The trojan is
able to be customized, and offers features, many of which do not work.  An
attacker can manipulate files, open/close the CD tray, swap mouse buttons as well
as steal passwords and take screen shots. This version mainly offers a decrease in
size, and due to the bugs and non-working features, may see limited use. An
earlier version of this trojan is more likely to be seen.
Attack Scenarios:
An attacker using this trojan could gain information to compromise the rest of
your network, or simply use the trojan to prove his/her "l33t-ness" (By using the
annoying features such as pop-up messages , tray opening or mouse button
Ease of Attack:

False Positives:
The signature looks for a packet with the content of "Wtzup Us". Unless someone
does casual surfing, or transfers which matches the port, and content, false
positives should be fairly low.
False Negatives:

Corrective Action:
http://www.dark-e.com/archive/trojans/doly/20/index.shtml offers the following
steps to remove this trojan.

"Remove the Ms tesk keys in the registry located at
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run. Then delete
Enable, parameters, path and startup keys in the registry located at
HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\Ava. Which can be done with
regedit or any other registry editing program.
Reboot the computer or close mdm.exe in the program files directory (Usually
c:\program files\) and in the windows start up directory (Usually c:\windows\start
menu\programs\startup\). Also reboot or close Kernal32.exe in the windows system
Delete the trojan file Kernal32.exe in the windows system directory. Also delete
mdm.exe in the windows start up directory (Usually c:\windows\start
menu\programs\startup\) and in the program files directory (Usually c:\program
files\). If any of the files can not be deleted or closed then reboot the computer
into DOS mode and delete them there.  "

Christopher Lubrecht chris_lubrecht at ...382...
Additional References:



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list