Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:W32/Dabber-A, W32/Dabber.worm.a, WORM_DABBER.A, W32.Dabber.A
Size:29,696 Bytes 
Damage:Uses security hole LSASS 
VDF Version: 

General DescriptionIt spreads using a security hole.

DistributionThe worm opens a backdoor from an infected system. The process is done over port 9898. It gives the attacker the control over this system and enables him to collect informations on other systems.

Technical DetailsWhen activated, Worm/Dabber copies itself in the following directories:
- %System%\package.exe
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\package.exe
- %WinDIR%\All Users\Main menu\Programs\StartUp\package.exe

Then, it makes the following registry entry:

It tries to delete registry entries of the Video and Microsoft Update from:

It deletes the following entries:
- Drvddll.exe
- Drvddll_exe
- drvsys
- drvsys.exe
- ssgrate
- ssgrate.exe
- lsasss
- lsasss.exe
- avserve2.exe
- avvserrve32
- avserve
- Taskmon
- Gremlin
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It deletes the entries:
- Window
- Video Process
- TempCom
- SkynetRevenge
- MapiDrv
- BagleAV
- System Updater Service
- soundcontrl
- WinMsrv32
- drvddll.exe
- navapsrc.exe
- skynetave.exe
- Generic Host Service
- Windows Drive Compatibility
- windows
from the registry folders:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And the (Default) entry from HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-

The worm scans over port 5554 for IP addresses of computers infected with Worm/Sasser. When an infected system is found, it spreads over FTP Server, a Worm/Sasser component. It will try to download components from an infected computer.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .