| VID |
24052 |
| Severity |
40 |
| Port |
2589,1386 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
Backdoor Dagger is detected.
Dagger is an trojan horse program created 2000, which is written in Visual C++. It's distributed the version 1.3.1(b), 1.4.0. This backdoor consists of Client.exe(Client program), Server.exe(server program). It uses 1386(1.3.1b) or 2589(1.4.0) TCP port as default port, depending on the version, which can't be changed. In Dagger 1.4.0 version, The registry key and port number have been changed since the previous version. If the Dagger 1.4.0 version is running, you can find the registry key named "SysManager" that has a data value of C\WINDOWS\System\Manager.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices'. If the previous version(1.3.1b) is running, you can find the registry key named "WinVirusScan" that has a data value of C\WINDOWS\System\VScan.exe in the registry located at 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'.
With the Dagger backdoor, a remote attacker can do the following :
- Chat with server
- Disable/Enable desktop
- File management(donwload, delete, run file, ...)
- Get system information(user, windows product key, processor type, resolution, ...)
- Hide/Show task bar
- Send message
- Shutdonw/Reboot the system
- View/Close processes
- Close/Remove server
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/6238.php
http://www.megasecurity.org/trojans/d/dagger/Dagger_all.html
http://www.tlsecurity.net/backdoor/Dagger.1.4.html |
| Recommendation |
Remove it from your computer :
For the version 1.3b:
1. Remove the "WinVirusScan" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run by using regedit or any other registry editing program.
2. Reboot the computer or close VScan.exe
3. Delete the trojan file VScan.exe in the windows system directory.
For the version 1.4:
1. Remove the "SysManager" key in the registry located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices' by using regedit or any other registry editing program.
2. Reboot the computer or close Manager.exe.
3. Delete the trojan file Manager.exe in the windows system directory.
-- OR --
Remove it from your computer by using a vaccine program(anti-virus program). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
