W32.Dinkdink.Worm


Aliases: Worm.Win32.Dinkdink.a, W32/Dinkdink.worm,   WORM_DINKDINK.A,   W32/Dinkdink.A,   Worm/Dinkdink
Variants: W32/Dinkdin-A , Win32.Dinkdink.A@mm

Classification: Malware
Category: Computer Worm

Status: Active
Spreading: Slow
Geographical info: Asia, North and South America, Europe, Australia and some parts of Africa
Removal: Easy
Platform: W32
Discovered: 18 Aug 2003
Damage: Low

Characteristics: Like other worm that exploits the system, W32.Dinkdink.Worm infects the DCOM RPC Vulnerability of two Windows Systems: the Windows 2000 and the Windows XP. This worm uses a two-step procedure to propagate itself.

More details about W32.Dinkdink.Worm

This self-replicating worm uses a fixed server for its propagation. It exploits the DCOM RPC Vulnerability with the use of TCP port 135. This worm can also be detected as W32.Blaster.D. If the worm is activated, it enters to a loop generating random class C address, iterating via A.B.C.0 – A.B.C.255 attempting to connect to the port 135. The worm sends a data package to exploit the DCOM RPC Vulnerability once the connection established is made. Since the worm does not spread on other Windows systems like the Windows NT or 2003, attempting to exploit on these un-patched computers may still cause the RPC service to crash. For the Windows 2000 and Windows XP, the worm will download the file Windat.exe to the%Sysdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup on the vulnerable computer system. Then the worm will finish the execution by directing the TFTP or the Trivial File Transfer Protocol to download Windat.exe from another computer. If successfully downloaded, the worm spreads by infecting the system.

The W32.Dinkdink.Worm software can scan the system for any unused ports. It opens one to connect to a remote server. This connection is largely unnoticed by the system security. Information sent here bypasses any installed security measures in the computer. The remote server is typically used to send commands to this application. The commands are executed in the system without the user’s consent. These can include monitoring the user’s actions, scanning and copying data files and altering the system’s settings. Additional malware programs may also be added to the computer.