W32/Dabber-A is a backdoor Trojan and network worm which searches for computers using randomly generated IP addresses that have been infected with
the W32/Sasser worm(s). These infected computers are running an FTP server
as a background process and have an open TCP Port 5554.
W32/Dabber-A will upload itself to these infected computers by exploiting a flaw
in the implementation of the W32/Sasser's FTP protocol in order to propagate
itself.
This worm will copy itself into the Windows System (or System32) folder as PACKAGE.EXE and into the Startup menu using the same filename.
For example:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
The worm will bind a command shell to TCP Port 8967 and connect to the
infected computer's TCP Port 5554. The worm will then issue a command to transfer itself from the local computer to the infected computer by using its own TFTP engine.
W32/Dabber-A will then be executed on the infected computer. The worm will
copy itself into the Startup folder within the Windows System (or System32)
folder, create a mutex called 'sas4dab' and create one or more of the following registry entries so that this worm runs automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sassfix = C:\<Windows System32>\package.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
sassfix = C:\<Windows System32>\package.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
sassfix = C:\<Windows System32>\package.exe
W32/Dabber-A will then proceed to delete registry entries associated with the W32/Sasser worm(s) on the infected computer from the registry branches:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
The entries being one or more of the following:
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
skynetave.exe
Generic Host Service
Windows Drive Compatibility
windows
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
avserve2.exe
avvserrve32
avserve
Taskmon
Gremlin
W32/Dabber-A will then set up a TFTP server on the infected computer and open TCP Port 9898. The local computer will then attempt to connect to the target computer's port (9898) to check if the exploit was successful.