W32/Dasher-C

Please follow the instructions for removing worms.

W32/Dasher-C is a worm for the Windows platform.

W32/Dasher-C spreads by exploiting various vulnerability includes the following:
WINS vulnerability (MS04-045)
WINDOWS PNP vulnerability (MS05-039)
MSDTC vulnerability (MS05-051)
MSSQL Authentication vulnerability (MS02-056)

W32/Dasher-C will attempt to disable auto starting of Windows Update. W32/Dasher-C is a worm for the Windows platform.

W32/Dasher-C spreads by exploiting various vulnerability includes the following:
WINS vulnerability (MS04-045)
WINDOWS PNP vulnerability (MS05-039)
MSDTC vulnerability (MS05-051)
MSSQL Authentication vulnerability (MS02-056)

When run the worm creates the following files :
<System>\wins\SqlExp.exe (Troj/Winser-C)
<System>\wins\SqlExp1.exe (Troj/ExpBdoor-A)
<System>\wins\SqlExp2.exe (W32/Dasher-B)
<System>\wins\SqlExp3.exe (Troj/SqlHello-A)
<System>\wins\SqlScan.exe
<System>\wins\Sqltob.exe

Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqltob.exe is detected as W32/Dasher-C.

Before attempting to spread W32/Dasher-C terminates the following processes:

Sqltob.exe
SqlScan.exe
SqlExp.exe
SqlExp1.exe
SqlExp2.exe
SqlExp3.exe
PFW.exe
Rfw.exe
rfwsrv.exe
RfwMain.exe
kvfw.exe
KAVPFW.exe
KAVPFW.EXE
KPfwSvc.EXE
KPFWSvc.EXE
Zonealarm.exe
Iparmor.exe
system.exe
adam.exe
EGhost.exe
Blackd.exe
Blackice.exe

W32/Dasher-C searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit

opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions.

W32/Dasher-C will attempt to disable Windows Update by removing the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\Currentversion\Run\Windows Update

W32/Dasher-C will also attempt to disable the "DTC" service and SMB by setting the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\MSDTC
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\
SMBDeviceEnabled
0