high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 15 December 2005 23:12:20 (GMT) |
| Last updated | 6 January 2006 11:35:44 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Dasher-B is a worm for the Windows platform.
W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.
Before attempting to spread W32/Dasher-B terminates the following processes:
adam.exe
Blackd.exe
Blackice.exe
EGhost.exe
Iparmor.exe
KAVPFW.exe
KAVPFW.EXE
KPfwSvc.EXE
KPFWSvc.EXE
kvfw.exe
Rfw.exe
RfwMain.exe
rfwsrv.exe
SqlExp.exe
SqlScan.exe
Sqltob.exe
system.exe
Zonealarm.exe
W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions.
At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.
A patch for the operating system vulnerabilty exploited by W32/Dasher-B is available from Microsoft:
MS05-051
|
