Aliases: W32.Dabber.A, W32/Dabber.A!worm, W32/Dabber.worm.a
Variants: W32.Sasser.Worm

Classification: Malware
Category: Computer Worm

Status: active & spreadings
Spreading: slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: easy
Platform: W32
Discovered: 14 May 2004
Damage: high

Characteristics: W32.Dabber.A is a worm. It can only infect Windows 2000 and Windows XP Operating System platforms. It spreads by using vulnerability in the FTP server component of W32.Sasser.Worm and its variants.

More details about W32.Dabber.A

This worm is also considered as a backdoor worm for it also installs a backdoor on infected hosts listening on port 9898. If unsuccessful, the worm may also try to go on ports 9899 through 9999 in sequence until it finds an open port. The author wrote this in C++ and packed with UPX. Upon installation, it creates the mutex sas4dab. This enables the worm to work only in one instance. It also attempts to copy itself to Windows folder as package.exe filenames and you may see directories such as, “%System%\package.exe,”C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe” and “%Windir%\All Users\Main menu\Programs\StartUp\package.exe.”

The worm, upon modifying registry entries, also tries to delete a number of values from the registry that are associated with other malware. It deletes values associated with Video and Microsoft Update. This worm can harshly compromise the security of a computer. It greatly puts its affected computer at risk of being exposed to other threats that could be more destructive. It also opens its infected computer to external control through the Internet; thereby, allowing intruders to take control of the compromised system.