Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Soporte
Soporte 24 horas | Normas de contactar

Sus solicitudes

Perfil

Win32.HLLW.Dabber

(ADSPY/Mirar.G.1, Net-Worm.Win32.Dabber.c, Backdoor:Win32/Sdbot, PAK_Generic.001, Worm/Generic.JP, Email-Worm.Win32.Svoy.a, WORM_DABBER.C, Worm/Svoy.C, Generic.dx, W32/Svoy.worm.gen, Win32/Malagent, Worm/Generic.JO, I-Worm/Svoy.C, WORM_DABBER.A, Worm/Daper.A, Generic.SBB, I-Worm/Svoy.A, Win32/Dabber.C, Worm/Dabber.A, Net-Worm.Win32.Dabber.a, Worm.Rubank.B, Worm.Win32.Dabber.a, Worm.Dabber.A, WORM_DAPER.A, Win32.Worm.Dabber.A, Win32.Svoy.A@mm)

Added to the Dr.Web virus database: 2004-05-14

Virus description added:

Description

Win32.HLLW.Dabber is a n internet-worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in Microsoft Visual C++ and is packed with UPX.
The packed size of the worm is 29, 696 bytes.

The worm propagates in the computers previously infected with Sasser .
When in a system, the worm opens port 9898 which results in a system’s compromising.
It deletes many values created in the system registry by other malicious programs.

Launching

To secure its automatic execution at every Windows startup the worm modifies the registry value
HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\SOFTWARE\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run\\\\\\\\\\\\\\\\
sassfix = %SysDir%\\\\\\\\\\\\\\\\package.exe

Spreading

In search of computers infected with Sasser the worm scans subnetworks on port TCP\\\\\\\\\\\\\\\\5554. To penetrate already infected systems the worm exploits a vulnerability of FTP server of the Sasser worm.

Action

Being activated, the worm drops its copy package.exe to the System folder (in Windows 9x/ME it’s C:\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\System, in Windows NT/2000 it’s C:\\\\\\\\\\\\\\\\WINNT\\\\\\\\\\\\\\\\System32, in Windows XP it’s C:\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\System32) and at С:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Documents and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\All Users\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Start Menu\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Startup.

To avoid repeated infections with its copies the worm creates a mutex called sas4dab.

Having infected a system, the worm opens port 9898. This opened backdoor leads to system’s compromizing and allows a remote attacker to perform actions unauthorized by its legitimate user.

When in a system, the worm deletes values created in the system registry by other malicious programs.

  • It deletes the values
    avserve 
    avserve2.exe 
    avvserrve32 
    BagleAV 
    drvddll.exe 
    Drvddll.exe 
    Drvddll_exe 
    drvsys 
    drvsys.exe 
    Generic Host Service 
    Gremlin 
    lsasss 
    lsasss.exe 
    MapiDrv 
    Microsoft Update 
    navapsrc.exe 
    skynetave.exe 
    SkynetRevenge 
    soundcontrl 
    ssgrate 
    ssgrate.exe 
    System Updater Service 
    Taskmon 
    TempCom 
    Video 
    Video Process 
    Window 
    windows 
    Windows Drive Compatibility 
    WinMsrv32 
    
    from the system registry
    HKEY_CURRENT_USER\\\\\\\\\\\\\\\\.DEFAULT\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run
    HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\RunServices
    HKEY_CURRENT_USER\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run
    HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run