MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MA-098.122005: MyCERT Special Alert - W32.Dasher Worm

Original Issue Date: 20th December 2005

Introduction

MyCERT received information from various reliable sources regarding the circulation of a particular worm and its variants, known as the W32.Dasher worm with its A, B and C variants. Most anti-virus vendors had rated the W32.Dasher worm as LOW in risk assessment and MEDIUM in potential damage associated to the worm. The W32.Dasher.A variant was first discovered on 16th December 2005 (UTC Time).

The worm spreads by exploiting Microsoft Windows Vulnerabilities in MSDTC and COM+ (as described in Microsoft Security Bulletin MS05-051) on TCP port 1025, TCP port 53 (W32.Dasher.B and W32.Dasher.C ) and TCP port 21211 (W32.Dasher.B and W32.Dasher.C) after deploying itself on a vulnerable host.

Microsoft Security Bulletin MS05-051

http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Based on number of reports received, currently no strong evidence indicating widespread infection or scanning activity relating to W32.Dasher worm and its variants in our constituency, but MyCERT advises users and organizations to patch vulnerable systems and take the prevention actions as provided below to prevent against the worm infection and future incidents that may targets this vulnerability.

System Affected

Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP

Payload

  1. Degrades performance as it spreads by exploiting remote vulnerabilities which may degrade performance.

  2. Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. ( for W32.dasher.B and W32.Dasher.C)

  3. Ends security-related processes. (for W32.dasher.C)

  4. It may lead to machine or system instability. This is due to backdoor has been installed in the infected machine. Once the infected machine has been installed by the backdoor, the symptom of the infected machine might be varied depends on the hacker desired activities to the infected machine. ( for W32.dasher.B and W32.Dasher.C)


Brief Description

Brief Technical Details of W32.Dasher.A (Quoted from Symantec)

When W32.Dasher.A is executed, it performs the following actions:

  1. Creates the following files:

    • %Windir%\Temp\SqlExp.exe, which is a malicious component of the worm.

    • %Windir%\Temp\Sqlrep.exe, which is a utility called "Replace Commander".

    • %Windir%\Temp\SqlScan.exe, which is a port scan utility.

    • %Windir%\Temp\Sqltob.exe, which is the main component of the worm.

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Runs the following file:

    %Windir%\Temp\Sqltob.exe

  3. Adds the value:

    "Windows Update" = "%windir%\Temp\Sqltob.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  4. Creates the following files that are used in exploiting the remote vulnerability:

    • %Windir%\Temp\SqlScan.bat

    • %Windir%\Temp\log.txt

    • %Windir%\Temp\Temp.txt

    • %Windir%\Temp\Result.txt

  5. Uses SqlScan.bat to call SqlScan.exe to scan for systems that are vulnerable to the Microsoft Windows Distributed Transaction Coordinator Remote Vulnerability (as described in Microsoft Security Bulletin MS05-051 - http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx) on TCP port 1025.

  6. Generates an IP address scan range in the format of ..1.1 to ..255.254 where %IP1% and %IP2% are randomly chosen from 58, 59, 60, 61, 62, 80, 81, 82, 83, 84, 85, 130, 133, 140, 160, 162, 163, 165, 168, 193, 194, 195, 200, 202, 203, 210, 211, 213, 217, 218, 219, 220, 221, and 222.

  7. If it finds a vulnerable system, the worm sends its shell code to that system. The shell code instructs the system to connect to the address 222.240.219.143 and waits for commands.

Brief Technical Details of W32.Dasher.B and W32.Dasher.C (Quoted from Symantec)

When W32.Dasher.B and W32.Dasher.C is executed, it performs the following actions:

  1. Creates files:

    • %System%\wins\SqlExp.exe

    • %System%\wins\SqlScan.exe (A port scan utility)

    • %System%\wins\svchost.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Runs the following file:

    %System%\wins\svchost.exe

  3. Ends the following processes, some of which are security-related: [Only for W32.Dasher.C]

    • Blackice.exe

    • Blackd.exe

    • EGhost.exe

    • adam.esystem.exe

    • Iparmor.exe

    • Zonealarm.exe

    • KPFWSvc.EXE

    • KPfwSvc.EXE

    • KAVPFW.EXE

    • KAVPFW.exe

    • kvfw.exe

    • RfwMain.exe

    • rfwsrv.exe

    • Rfw.exe

    • PFW.exe

  4. Adds the value: [Only for W32.Dasher.C]

    "SMBDeviceEnabled" = "0"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

    in order to lower security settings on the compromised computer.

  5. Modifies the value: [Only for W32.Dasher.C]

    "Start" = "4"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC

    in order to lower security settings on the compromised computer.

  6. Deletes the value [Only for W32.Dasher.C]

    "Windows Update"

    from the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  7. Scans for computers that are vulnerable to the Microsoft Windows MSDTC Memory Corruption Vulnerability (as described in the Microsoft Security Bulletin MS05-051 - http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx) on TCP port 1025.

    The worm creates the following files that are used in exploiting this vulnerability:

    • %System%\wins\log.txt

    • %System%\wins\Result.txt

  8. Generates an IP address scan range from [IP1].[IP2].1.1 to [IP1].[IP2].255.254, where the variables [IP1] and [IP2] are randomly chosen from the following list:

    • 58

    • 59

    • 60

    • 61

    • 62

    • 80

    • 81

    • 82

    • 83

    • 84

    • 85

    • 130

    • 133

    • 140

    • 159

    • 160

    • 162

    • 163

    • 165

    • 168

    • 192

    • 193

    • 194

    • 195

    • 200

    • 202

    • 203

    • 210

    • 211

    • 213

    • 217

    • 218

    • 219

    • 220

    • 221

    • 222

  9. Sends its shell code to any vulnerable computers it finds. This shell code instructs the newly compromised computer to connect to the following IP address on TCP port 53 and wait for commands:

    222.240.219.143

  10. Allows a remote attacker to perform the following actions:

    • Connect to an FTP server at the IP address 159.226.153.2, on TCP port 21211

    • Download and execute remote files

      Note:

    • At the time of writing, the remote files were unavailable for download.

    • The IP address the computer initially connects to on TCP port 53, 222.240.219.143, is hard-coded. However, the IP address of the FTP server, 159.226.153.2, can be modified.

How to Tell if your Computer is Infected
    1. Presence of the worm related file in your system folder.

    2. Excessive network traffic over TCP port 1025.

    3. Dysfunction of your computer’s security settings

    4. The infected machine which has already been embedded with the backdoor might has strange ports opened, such as TCP port 53 and TCP port 21211. Please check the open port in your machine is the trusted and valid port.

    Detection

    Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.

    NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.

    Removal Steps

    1. Disconnect the machine from the network.

    2. Apply the MS05-051 patch which can be downloaded at:



    NOTE: The patch can be obtained from a media (CD) downloaded from a clean machine.

    1. Disable System Restore (for Windows Me/XP only).

    Windows XP:

    a. Click Start.

    b. Right-click My Computer, and then click Properties.

    c. Click the System Restore tab.

    d. Select "Turn off System Restore" or "Turn off System Restore on all drives" check box

    Windows Me:

    a. Click Start, point to Settings, and then click Control Panel.

    b. Double-click the System icon. The System Properties dialog box appears.

    c. Click the Performance tab, and then click File System. The File System Properties dialog box appears.

    d. Click the Troubleshooting tab, and then check Disable System Restore

    e. Click OK. Click Yes, when you are prompted to restart Windows

    1. Update the virus definitions.

    2. Run a full system scan and delete all the files detected.

    3. Delete any values added to the registry. Back up your registry first prior to deleting the value.

    4. Re-scan the machine to confirm if it is clean.

    5. Enable the System Restore (for Windows ME/XP only).

    6. Re-connect the machine to the network.

      1. Install the latest computer updates/patches.

      2. Enable and use up-to-date antivirus software.

      3. Close all ports except your http port otherwise you need to filter the ports to authorized users only.

      4. Enable a personal firewall on your computer.


      References:

      1. Symantec

      http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.a.html
      http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.b.html

      http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.c.html

      Trend Micro

      http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDASHER%2EA&VSect=T

      1. McAfee

      http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137567

      1. AusCERT

      http://www.auscert.org.au/5584

      1. Microsoft

      http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

      If you believe that your computer has been infected in any way, we encourage you to report to MyCERT at:

      Tel : 03-89961901

      http://www.mycert.org.my/report_incidents/online_form.html

      Fax : 03-89960827
      Email : mycert@mycert.org.my
      SMS :019-2813801

      2.


    Prevention
    Microsoft
    http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
    <>