high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 10 August 2004 14:45:29 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sasserfix = <SYSTEM>\package.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Dabber-C is a worm with backdoor Trojan capabilities.
W32/Dabber-C searches for computers to infect by generating random IP addresses. The worm will attempt to spread through a number of vulnerabilities, including those left by the W32/Sasser worms.
Computers that are infected by the W32/Sasser worms are particularly vulnerable to infection by W32/Dabber-C and have an FTP server running on them on port 5554. W32/Dabber-C will copy itself to these infected computers by exploiting a flaw in W32/Sasser's implementation of the FTP protocol.
W32/Dabber-C may also copy itself to network machines through the IPC$ share.
The worm will attempt to spread via the RPC/DCOM and LSASS exploits. The worm will attempt to send a shellcode to a vulnerable machine. The shellcode is used to download the worm from the already infected computer and then run it on the targeted machine.
When first run, W32/Dabber-C will copy itself as package.exe to the Windows system folder and to the Startup folder of the Start Menu. For example:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
In order to run each time Windows is started, W32/Dabber-C will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sasserfix = <SYSTEM>\package.exe
W32/Dabber-C will then attempt to delete registry entries relating to the W32/Sasser worms in the following registry branch:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\
The worm will then delete autostart registry entries typically associated with other worms such as Sasser, Netsky and Bagle.
These deleted registry entries are located in the following branches:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and will have one of the following names:
Gremlin
Taskmon
Video
avserve
avvserrve32
avserve2.exe
lsasss.exe
lsasss
ssgrate.exe
ssgrate
drvsys.exe
drvsys
Drvddll.exe
Drvddll_exe
Microsoft Update
windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
drvddll.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window
W32/Dabber-C will then set up a TFTP server on the infected computer and open a backdoor on TCP Port 9898. The local computer can then attempt to access the infected computer through this backdoor to check if the exploit was successful. This backdoor can also provide access to a remote intruder.
W32/Dabber-C will attempt to stop shared and wireless access to the infected machine by running a legitimate Windows program called net.exe:
net.exe stop wscsvc
net.exe stop SharedAccess
|
