W32.Dasher.A


Aliases: W32/Dasher-A, Exploit.Win32.MS05-051.b W32/Dasher-B
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 15 Dec 2005
Damage: Medium

Characteristics: W32.Dasher.A is a type of worm that exploits Microsoft Windows Distributed Transaction Coordinator Remote Exploit or Microsoft Windows MSDTC and other Microsoft Windows Vulnerabilities such as COM+ and Microsoft SQL Server. This worm comes in a RAR file.

More details about W32.Dasher.A

This worm, arriving in a self-extract RAR file, exploits Microsoft Windows Vulnerabilities in MSDTC, COM+ (MS05-051) and Microsoft SQL Server (MS02-056) after installing itself on a particular host. The MSDTC is deployed on TCP port 1025. Once the W32.Dasher.A program is run, it creates certain files including a malicious component of the worm which is the %Windir%\Temp\SqlExp.exe. Other files are the Replace Commander %Windir%\Temp\Sqlrep.exe; the main component of the W32.Dasher.A, %Windir%\Temp\Sqltob.exe; and the post scan utility, the %Windir%\Temp\SqlScan.exe. Keep in mind that %Windir% is a variable. By default, it is either C:\Windows or C:\Winnt. After creating the given files above, the worm runs another file and adds value to the registry. Once the Windows starts, the worm runs creating files that can exploit the targeted vulnerabilities. The files are the following: %Windir%\Temp\SqlScan.bat, %Windir%\Temp\log.txt, %Windir%\Temp\Temp.txt, %Windir%\Temp\Result.txt. Then the IP address produced will scan range from the format of [%IP1%].[IP2].1.1 to [%IP1%].[IP2].255.254. The %IP1% and %IP2% can be selected from 58 up to 222.

Once the worm finds the vulnerable system, it sends shell code to the system to connect and to wait for commands from the attacker. One common command is getting the infected computer to participate in an attack on a remote server. This is typically a DoS (Denial of Service) attack. It involves sending large amounts of malformed and repeated data. The server will eventually be unable to process all incoming information and crash.