QUOTE
W32/Dasher-B is a worm for the Windows platform.
W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.
W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions.
At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.
W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.
W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions.
At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.
The current version of this MS05-051 based Internet worm has some bugs. This new development should be watched, as future variants could improve their capability to spread.
Sophos information
http://www.sophos.com/virusinfo/analyses/w32dasherb.html
F-Secure:
http://www.f-secure.com/weblog/archives/ar...5.html#00000735
ISC: MS05-051 (MSDTC) Malware / Port 1025
http://isc.sans.org/diary.php?storyid=934