Chupacabra backdoor for Windows (Chupacabra_Request)

About this signature or vulnerability

Proventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Sentry, RealSecure Guard, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:

This signature detects a request on port 13473/TCP to a "Chupacabra" backdoor. This indicates an attacker's attempt to control or access a system on your network. There is a high probability that a system on your network is running this backdoor.

This signature replaces Chupacabra.

This signature detects a request on port 13473/TCP to a "Chupacabra" backdoor. This indicates an attacker's attempt to control or access a system on your network. There is a high probability that a system on your network is running this backdoor.

This signature replaces Chupacabra.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Desktop: 8.0.614.1, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, BlackICE Agent for Server: 3.6, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE

Type

Unauthorized Access Attempt

Vulnerability description

The Chupacabra backdoor is one of many backdoor programs for Windows 95 and Windows 98 that attackers can use to access your computer system without your knowledge or consent. With the Chupacabra backdoor, an attacker can do the following:

How to remove this vulnerability

To remove the Chupacabra backdoor from your computer:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

  1. Restart the computer in MS-DOS mode.
  2. Delete the file C:\Windows\System\winprot.exe.
  3. Restart the computer to Windows. Error messages will appear as the system attempts to execute the deleted winprot.exe binary.
  4. In Windows, open C:\WINDOWS\WIN.INI and remove all instances of winprot.exe. These will most likely be found under the "[windows]" section on lines beginning with load= and run=.
  5. Using Regedit, find each of the following registry keys, and then find and delete the registry entry named System Protect that has a value of winprot.exe:
    • HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

References

ISS X-Force
Chupacabra backdoor for Windows
http://www.iss.net/security_center/static/5304.php

CVE
CVE-1999-0660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0660