Worm:W32/Dabber

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:W32/Dabber.A, Dabber.A, Worm.Win32.Dabber.a

Summary

Worm:W32/Dabber.A only affects systems that had been previously infected by Worm:W32/Sasser, as it spreads through a vulnerability in the FTP server of the Sasser worm. Once installed, Dabber removes registry values installed by other malware and installs its own backdoor.

Removal

Manual disinfection of Dabber consists of the following steps:

  • Remove the following registry value:
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"sassfix" = "%SystemDir%\package.exe" 
  • Restart the computer
  • Delete the file 'package.exe' from the System and all Startup directories

Note

Computers infected by the Dabber worm must also be disinfected of the Sasser worm as well. For disinfection details and a removal tool, please see the Worm:W32/Sasser description.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Worm:W32/Dabber was written in the Visual C++ programming language, and spreads in a UPX + Pe_Patch compressed form. The unpacked size of the worm is around 70 KiB. Once active on the infected machine, Dabber opens 9898/TCP and installs a general purpose backdoor that can be used to download and execute arbitrary programs.

Also, in an attempt to disable different other viruses, Dabber removes a large number of registry values.

System Infection

When Dabber enters the system, it creates a copy of itself in the Windows System Directory, using the file name 'package.exe'. This copy is added to the Registry as

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"sassfix" = "%SystemDir%\package.exe"

Two additional copies are placed to the common user Startup Directories, also using the name 'package.exe'.

Network Propagation

Dabber spreads by exploiting a vulnerability in the FTP server of Sasser.

The worm scans random hosts for open 5554/TCP ports, where the Sasser FTP server also listens. If the port is open, Dabber attacks the host with an exploit that opens a shell on the host on 8967/TCP.

Using the shell, Dabber forces the victim machine to download the worm body from the attacker host using TFTP. Dabber has its own TFTP server to serve the victims. Summary of TCP ports used by the worm:

  • 5554/TCP: sasser's FTP server on the infected machines
  • 8967/TCP:Temporary shell opened by the exploit on the vulnerable hosts
  • 9898/TCP:Backdoor port opened by Dabber