W32/Dansh-A is a network worm and IRC backdoor Trojan which can copy itself
to the Windows System32 folder as DESKTOP.EXE when executed. This worm
also attempts to spread to remote network shares. The backdoor Trojan functionality allows unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
The following registry will be set to ensure that this worm is executed automatically
upon restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
desktop = C:\<Windows System32>\desktop.exe
W32/Dansh-A spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a remote user.
This worm can also download and apply a patch for a vulnerability which has been documented in Microsoft Security Bulletin MS04-011, for the MS Windows
2000 and MS Windows XP operating systems. The downloaded file may be
saved in the Windows System32 folder as KB835732.EXE and the following registry names may be deleted from the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
avserve2.exe
avserve.exe
skynetave.exe
lsasss.exe
napatch.exe
Generic Host Service
This worm is effectively trying to patch the operating systems which are still
vulnerable to the W32/Sasser worms.
W32/Dansh-A may also create the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Uninstall\Version\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Uninstall\Version\
HKLM\SYSTEM\ControlSet001\Services\W3SVC\Parameters\
DisableWebDAV = 1
MaxClientRequestBuffer = 4000
HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters\
AutoShareServer = 0
AutoShareWks = 0
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\
DisableWebDAV = 1
MaxClientRequestBuffer = 4000
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer = 0
AutoShareWks = 0