F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Dabber

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Dabber
ALIAS:Dabber.A, Worm.Win32.Dabber.a
SIZE:29696

Summary

Dabber is a network worm that spreads through a vulnerability in the FTP server of the Sasser worm. This worm only affects systems that had been previously infected by Sasser.

Dabber removes registry values installed by different other viruses and installs its own backdoor instead.

Disinfection

Manual disinfection of Dabber consists of the following steps:

- Remove the registry value: 

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "sassfix" = "%SystemDir%\package.exe"

- restart the computer

- delete the file 'package.exe' from the System and all 

  Startup directories

Dabber infected computers must be disinfected from Sasser as well. More details and the removal tool is available at

http://www.f-secure.com/v-descs/sasser.shtml

Back to the Top


Detailed Description

Sasser was written in Visual C++ and it spreads in a UPX + Pe_Patch compressed form. The unpacked size of the worm is around 70 KiB.

System Infection

When the worm enters the system it creates a copy of itself in the Windows System Directory as 'package.exe'. This copy is added to the Registry as 

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "sassfix" = "%SystemDir%\package.exe"

Two additional copies are placed to the common user Startup Directories as 'package.exe'.

In an attempt to disable different other viruses, Dabber removes a large number of registry values.

Network Propagation

Dabber exploits a vulnerability in the FTP server of Sasser. The worm scans random hosts for open 5554/TCP port where the Sasser FTP server listens. If the port is open Dabber attacks the host with an exploit that opens a shell on the host on 8967/TCP. Using the shell the worm makes the victim to download the worm body from the attacker host using TFTP. Dabber has its own TFTP server to serve the victims.

Backdoor

As a payload Dabber opens 9898/TCP and installs a general purpose backdoor that can be used to download and execute arbitrary programs.

Summary of TCP ports used by the worm:

5554/TCP: - Sasser's FTP server on the victims

8967/TCP: - Temporary shell opened by the exploit on the vulnerable hosts

9898/TCP: - Backdoor port opened by Dabber

Detection

Detection in F-Secure Anti-Virus was published on May 14th, 2004 in update:

[FSAV_Database_Version]

Version=2004-05-14_01

Back to the Top


Technical Details: Gergely Erdelyi, May 14th, 2004

F-Secure Corporation