1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Dasher Activity

HTTP W32 Dasher Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to update W32.Dasher which could result in further spread of this worm.

Additional Information

When W32.Dasher.A is executed, it performs the following actions:

1. Creates the following files:

* %Windir%\Temp\SqlExp.exe , which is a malicious component of the worm.
* %Windir%\Temp\Sqlrep.exe, which is a utility called "Replace Commander".
* %Windir%\Temp\SqlScan.exe, which is a port scan utility.
* %Windir%\Temp\Sqltob.exe, which is the main component of the worm.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. Runs the following file:

%Windir%\Temp\Sqltob.exe

3. Adds the value:

"Windows Update" = "%Windir%\Temp\Sqltob.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Creates the following files that are used in exploiting the remote vulnerability:

* %Windir%\Temp\SqlScan.bat
* %Windir%\Temp\log.txt
* %Windir%\Temp\Temp.txt
* %Windir%\Temp\Result.txt

5. Uses SqlScan.bat to call SqlScan.exe to scan for systems that are vulnerable to the Microsoft Windows Distributed Transaction Coordinator Remote Vulnerability (as described in Microsoft Security Bulletin MS05-051) on TCP port 1025.

6. Generates an IP address scan range in the format of [%IP1%].[IP2].1.1 to [%IP1%].[IP2].255.254 where %IP1% and %IP2% are randomly chosen from 58, 59, 60, 61, 62, 80, 81, 82, 83, 84, 85, 130, 133, 140, 160, 162, 163, 165, 168, 193, 194, 195, 200, 202, 203, 210, 211, 213, 217, 218, 219, 220, 221, and 222.

7. If it finds a vulnerable system, the worm sends its shell code to that system. The shell code instructs the system to connect to the address 222.240.219.143 and waits for commands.

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube