¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32/Dabber-A, W32/Dabber.worm.a, WORM_DABBER.A, W32.Dabber.A
Type:Worm 
Size:29,696 Bytes 
Origin:unknown 
Date:05-14-2004 
Damage:Uses security hole LSASS 
VDF Version:6.25.00.60 
Danger:High 
Distribution:Low 

General DescriptionIt spreads using a security hole.

DistributionThe worm opens a backdoor from an infected system. The process is done over port 9898. It gives the attacker the control over this system and enables him to collect informations on other systems.

Technical DetailsWhen activated, Worm/Dabber copies itself in the following directories:
- %System%\package.exe
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
- %WinDIR%\All Users\Main menu\Programs\StartUp\package.exe

Then, it makes the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"sassfix"="%System%\package.exe"

It tries to delete registry entries of the Video and Microsoft Update from:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It deletes the following entries:
- Drvddll.exe
- Drvddll_exe
- drvsys
- drvsys.exe
- ssgrate
- ssgrate.exe
- lsasss
- lsasss.exe
- avserve2.exe
- avvserrve32
- avserve
- Taskmon
- Gremlin
from:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It deletes the entries:
- Window
- Video Process
- TempCom
- SkynetRevenge
- MapiDrv
- BagleAV
- System Updater Service
- soundcontrl
- WinMsrv32
- drvddll.exe
- navapsrc.exe
- skynetave.exe
- Generic Host Service
- Windows Drive Compatibility
- windows
from the registry folders:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And the (Default) entry from HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32\

The worm scans over port 5554 for IP addresses of computers infected with Worm/Sasser. When an infected system is found, it spreads over FTP Server, a Worm/Sasser component. It will try to download components from an infected computer.
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.