Dasher.C

It has been observed that a memory resident worm called Dasher.C (with variants earlier Dasher.A, Dasher.B) is spreading in wild to exploit the Microsoft Windows MSDTC Memory Corruption Vulnerability (MS05-051), Windows Plug and Play service Vulnerability (MS05-039),WINS vulnerability(MS04-045), MSSQL Authentication vulnerability (MS02-056) described in CERT-In Vulnerability Notes CIVN-2005-96, CIVN-2005-73 and CIVN-2005-101.

The worm drops spying software on vulnerable PCs which scans for vulnerable systems on TCP port 1025, log keystrokes and turn the computer into a remotely controlled 'bot' system.

Upon execution, this worm

• Drops and executes the file SQLTOB.EXE in the %Windows%/Temp folder.

• Also drops the following files in the same folder:
  log.txt, Result.txt SqlExp.exe (a component that is used in MSDT exploiting), Sqlrep.exe (this file is a component and also detected as WORM_DASHER.A), SqlScan.bat (a batch file that contains commands to run the parameter-based command needed by this worm), SqlScan.exe(port scan utility),Temp.txt

• creates the registry entry to enable its automatic execution at every system startup:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\Current Version\Run
  Windows Update = "%Windows%\Temp\Sqltob.exe"

• Adds "SMBDeviceEnabled" = "0" to the registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\NetBT\Parameter.
  

• Modifies "Start" = "4" in the registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\MSDTC.

• Deletes "Windows Update" from the registry subkey: HKLM\SOFTWARE\Microsoft\Windows\Currentversion\
  Run\Windows Update.

• Constructs random addresses using a fixed list of A-class networks. If it finds a system responding to TCP SYN scan, sends the exploit payload to open a backdoor on the vulnerable computer causes it to connect to a remote server for further instructions.

• Tries to connect to IP address 222.240.219.143 on TCP port 53 and also to an FTP server at IP address 159.226.153.2, on TCP port 21211. It may be noted that this FTP server’s IP could be dynamically changed.

• It has also been reported that the worm contains a rootkit driver which enables it to hide the malicious processes.
  

Since the worm has high distribution rate and damage potential, users are advised to update their Anti Virus software and apply appropriate security updates mentioned in Microsoft Security Bulletins MS05-051 ,  MS04-045,  MS05-039  and  MS02-056.

For further details refer to CERT-In Vulnerability Notes CIVN-2005-96, CIVN-2005-73 and CIVN-2005-101 and following URLs:

References

• http://securityresponse.symantec.com/avcenter/venc/
  data/w32.dasher.c.html
  
• http://www.sophos.com/virusinfo/analyses/w32dasherc.html
  
• http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137567
  
• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
  VName=WORM%5FDASHER%2EC
  
• http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx
  
• http://www.theregister.co.uk/2005/12/16/dasher_worm_variant/
• http://isc.sans.org/diary.php?storyid=940

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003