A new worm called Dabber appears to be spreading via a vulnerability in the recent Sasser worm. Dabber is different, in that it is one of the fist to spead by exploiting an actual programming error in Sasser.
Dabber scans for infected Sasser hosts, on port 5554. If it finds an infected system it then uses code from a Sasser FTP exploit to take control of the box.
After Dabber has installed itself it then deletes the registry keys of Sasser and other worms / viruses. Dabber opens up port 9898 as a backdoor. To remove dabber, you would need to kill the "package.exe" process & then delete the file as well as removing the "sassfix" registry key.
It can be found in the following locations:
%System%\package.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
%Windir%\All Users\Main menu\Programs\StartUp\package.exe
It appears to delete a list of entries from other registry keys, check out the Symantec Alert for full details. It looks like this might be another trend that appears, as obviously even malicious code has bugs.
Post ID: 377, posted by jase at 04:22 PMThanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved before your comment will appear.)