Rule Document 1:3063

Report a false positive

Rule Category

MALWARE-BACKDOOR -- Snort has detected suspicious communication traffic unrelated to commands, such as exfiltration of data from the infected machine, especially larger chunks of data.

Alert Message

MALWARE-BACKDOOR Vampire 1.2 connection request

Rule Explanation

This event is generated when an attempt is made to request a connection using the Vampire 1.2 trojan. Impact: If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. Details: Vampire 1.2 uses port 1020 by default. This port cannot be changed by the attacker. The following is a list of the commands for many of Vampier 1.2's functions (Command Name: Command String): Chat With Victim: chat Clear Recent Folder: cleardoc Close Windows: endwin Corrupt File: currfile Crazy Mouse: crazy Delete Directory: deletedir Delete File: delete Disk Space Left: space Disable CTRL-ALT-DEL: ctrldisable Enable CTRL-ALT-DEL: ctrlenable Fill Hard Drive: fillhd Find File: findfiles Format: format Get Active Windows: getact Get ICQ Number: geticq Get Local Time: gettime Get Operating System: getos Get Server Path: getpath Get System Owner: getowner Get Temp Directory: gettemp Get Windows Directory: getwin Get Current User: getname Get Disk Serial Number: getserial Get Hard Drive: gethd Get Organization: getorg Hang Up Modem: hangup ISP Account Info: ispinfo Kill Window: killtask\ Logoff: logoff Make Directory: makedir Monitor Off: monitoroff Monitor On: monitoron Hide Mouse: hidemouse Show Mouse: showmouse Open Control Panel: panel Open Date And Time: date Open CD-ROM: cdopen Close CD-ROM: cdclose Open URL: www\ Ping: ping Read A Drive: reada Reboot: reboot Kill Registry: regfuck Run Program: run Screenshot: screenshot Send Keys: text Send Message: sndmsg Set Computer Name: pcname Set Volume Label: setvolumelabel Shutdown: shutdown Hide Task Bar: hidetask Show Task Bar: showtask Wacky CR-ROM: wackycd Ease of Attack: Easy. Simply a matter of pressing the connect button once the victim has installed the server.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Original Rule Writer: Ricky Macatee Cisco Talos

Rule Groups

No rule groups

CVE

None

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None