|
|
Worm.Win32.Dabber. Viruses Information
| Name: |
Worm.Win32.Dabber. |
| Category: |
Viruses |
| Description:
|
Details
Worm.Win32.Dabber.a
This worm spreads via the Internet using a vulnerability in the FTP component of Worm.Win32.Sasser.
The worm itself is a Windows PE EXE file, 29696 bytes in size, packed using UPX.
Installation
When installing, the worm copies itself to the Windows system directory under the name package.exe
c:Documents and SettingsAll UsersStart MenuProgramsStartup %windir%All UsersMain menuProgramsStartUp
The worm registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"sassfix"="%System%package.exe"
The worm searches the system registry for keys installed by Sasser and deletes them.
avserve2.exe
avvserrve32
avserve
skynetave.exe
and deletes them. It also searches for and deletes keys installed by other worms:
Video
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
Taskmon
Gremlin
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
Generic Host Service
Windows Drive Compatibility
windows
The worm scans networks for random IP addresses, searching for victim machines which have the ftp component of Sasser installed on port 5554.
When the worm finds a suitable victim machine, it sends a vulnerability exploit to it to infect the system. It then launches the command shell on port 8967. It also installs a backdoor on port 9898 to receive external commands. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Samara.153
LockCD.204
Fingers.132
Macro.Word.Sp
Trojan.VBS.Carewm
Buggeroo.130
No25.174
DM.67
Nop.35
I-Worm.Gali
|
|
