W32/Dasher-D is a worm for the Windows platform.
W32/Dasher-D spreads by exploiting the MSDTC (MS05-051) vulnerability.
W32/Dasher-D is a worm for the Windows platform.
W32/Dasher-D spreads by exploiting the MSDTC (MS05-051) vulnerability.
When W32/Dasher-D is installed the following files are created:
<Program Files>\eiafasrk.dl1
<Program Files>\eiafasrk.dll
<Program Files>\eiafasrk.sys
<System>\wins\SqlExp.exe
<System>\wins\SqlExp1.exe
<System>\wins\SqlExp2.exe
<System>\wins\SqlExp3.exe
<System>\wins\SqlScan.exe
<System>\wins\Sqltob.exe
The file SqlExp3.exe is detected as Troj/SqlHello-A and the file eiafasrk.sys is detected as Troj/RKPort-Fam.
The main "parent" component is Sqltob.exe, which uses the other components to perform various aspects of the worm's functionality.
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe is the component which contains the code that attempts to exploit the MS05-051 vulnerability. However this is based on a proof-of-concept code that appears to have a relatively poor success rate.
Before attempting to spread W32/Dasher-D terminates the following processes:
Blackice.exe
Blackd.exe
EGhost.exe
adam.exe
system.exe
Iparmor.exe
Zonealarm.exe
KPFWSvc.EXE
KPfwSvc.EXE
KAVPFW.EXE
KAVPFW.exe
kvfw.exe
RfwMain.exe
rfwsrv.exe
Rfw.exe
PFW.exe
SqlExp3.exe
SqlExp2.exe
SqlExp1.exe
SqlExp.exe
SqlScan.exe
Sqltob.exe
W32/Dasher-D sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\MSDTC
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
SMBDeviceEnabled
0