W32/Dasher-D

Please follow the instructions for removing worms.

W32/Dasher-D is a worm for the Windows platform.

W32/Dasher-D spreads by exploiting the MSDTC (MS05-051) vulnerability. W32/Dasher-D is a worm for the Windows platform.

W32/Dasher-D spreads by exploiting the MSDTC (MS05-051) vulnerability.

When W32/Dasher-D is installed the following files are created:

<Program Files>\eiafasrk.dl1
<Program Files>\eiafasrk.dll
<Program Files>\eiafasrk.sys
<System>\wins\SqlExp.exe
<System>\wins\SqlExp1.exe
<System>\wins\SqlExp2.exe
<System>\wins\SqlExp3.exe
<System>\wins\SqlScan.exe
<System>\wins\Sqltob.exe

The file SqlExp3.exe is detected as Troj/SqlHello-A and the file eiafasrk.sys is detected as Troj/RKPort-Fam.

The main "parent" component is Sqltob.exe, which uses the other components to perform various aspects of the worm's functionality.

Sqlscan.exe is a port scanner, used to search networks for open ports.

Sqlexp.exe is the component which contains the code that attempts to exploit the MS05-051 vulnerability. However this is based on a proof-of-concept code that appears to have a relatively poor success rate.

Before attempting to spread W32/Dasher-D terminates the following processes:

Blackice.exe
Blackd.exe
EGhost.exe
adam.exe
system.exe
Iparmor.exe
Zonealarm.exe
KPFWSvc.EXE
KPfwSvc.EXE
KAVPFW.EXE
KAVPFW.exe
kvfw.exe
RfwMain.exe
rfwsrv.exe
Rfw.exe
PFW.exe
SqlExp3.exe
SqlExp2.exe
SqlExp1.exe
SqlExp.exe
SqlScan.exe
Sqltob.exe

W32/Dasher-D sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\MSDTC
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
SMBDeviceEnabled
0