| VID |
24042 |
| Severity |
40 |
| Port |
1020,6669 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Vampire is detected.
Vampire is a trojan horse program created June 1999, which is written in Visual Basic. This backdoor consists of Vampire.exe(Agent program) and server.exe(Server program). It uses 6669(v1.0), 1020(v1.2) TCP port as default port, which can't be changed. It requires msvbvm60.dll, mswinsck.ocx files to run.
If this backdoor is running, you can find the registry key named "WindowsBootFile" that has a data value of c:\windows\system\Winboot.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Vampire backdoor, a remote attacker can do the following :
- Hide/Show Taskbar
- Chat with victim
- Screenshot
- Send message
- Enable/disable ALT+CTRL+DEL
- Open/Close CD-ROM
- Get system information(harddrive, server path, O/S, system owner, disk serial number,...)
- File management(delete/make directory, find/delete/corrupt file, ...)
- Close Server
- Kill window
- Registry kill
- Format drive
- Shutdown/Reboot
- Log on/off
- Open web page
- Run program
- Set computer name/volume label
- Close windows
- Monitor off/on
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/reference/vuln/Vampire_TCP_Response.htm
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FVampire&ThreatID=24889 |
| Recommendation |
Remove it from your computer :
1. Remove the "WindowsBootFile" key located in the registry at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close the Winboot.exe
3. Delete the trojan file Winboot.exe in the windows directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
