Rule: --Sid: 3063-- Summary: This event is generated when an attempt is made to request a connection usingthe Vampire 1.2 trojan.-- Impact: If connected, the attacker could execute a multitude of functions resulting in acomplete compromise of the victim's machine.--Detailed Information:Vampire 1.2 uses port 1020 by default. This port cannot be changed by the attacker. The following is a list of the commands for many of Vampier 1.2's functions(Command Name: Command String):Chat With Victim: chatClear Recent Folder: cleardocClose Windows: endwinCorrupt File: currfileCrazy Mouse: crazyDelete Directory: deletedirDelete File: deleteDisk Space Left: spaceDisable CTRL-ALT-DEL: ctrldisableEnable CTRL-ALT-DEL: ctrlenableFill Hard Drive: fillhdFind File: findfilesFormat: formatGet Active Windows: getactGet ICQ Number: geticqGet Local Time: gettimeGet Operating System: getosGet Server Path: getpathGet System Owner: getownerGet Temp Directory: gettempGet Windows Directory: getwinGet Current User: getnameGet Disk Serial Number: getserialGet Hard Drive: gethdGet Organization: getorgHang Up Modem: hangupISP Account Info: ispinfoKill Window: killtask\Logoff: logoffMake Directory: makedirMonitor Off: monitoroffMonitor On: monitoronHide Mouse: hidemouseShow Mouse: showmouseOpen Control Panel: panelOpen Date And Time: dateOpen CD-ROM: cdopenClose CD-ROM: cdcloseOpen URL: www\Ping: pingRead A Drive: readaReboot: rebootKill Registry: regfuckRun Program: runScreenshot: screenshotSend Keys: textSend Message: sndmsgSet Computer Name: pcnameSet Volume Label: setvolumelabelShutdown: shutdownHide Task Bar: hidetaskShow Task Bar: showtaskWacky CR-ROM: wackycd--Affected Systems:Windows 95/98/ME--Attack Scenarios: The victim must first install the server. Be wary of suspicious files becausethey often can be backdoors in disguise.Once the victim mistakenly installs the server program, the attacker usuallywill employ an IP scanner programto find the IP addresses of victims that have installed the program. Then theattacker enters the IP address and presses the connect button and he has access to your computer.-- Ease of Attack: Easy. Simply a matter of pressing the connect button once the victim hasinstalled the server.-- False Positives:None known--False Negatives:None known-- Corrective Action: In order to get rid of it, you must kill the following processes:vampire.exe or (if not there) server.exeYou must delete the following files from your hard drive:vampire.exe or (if not there) server.exeKeep your anti-virus software updated.--Contributors:Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> Sourcefire Research Team-- Additional References:Pestpatrol:http://www.pestpatrol.com/pestinfo/v/vampire_1_2.aspDark-E:http://www.dark-e.com/archive/trojans/vampire/index.shtml--