Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dasher.b - Internet Worm Exploits Ms05-051 Vulnerability


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:45 PM

Posted 15 December 2005 - 08:42 PM

W32/Dasher-B is a worm for the Windows platform.
W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.

When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.

Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.
W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions.

At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.


The current version of this MS05-051 based Internet worm has some bugs. This new development should be watched, as future variants could improve their capability to spread.

Sophos information
http://www.sophos.com/virusinfo/analyses/w32dasherb.html

F-Secure:
http://www.f-secure.com/weblog/archives/ar...5.html#00000735

ISC: MS05-051 (MSDTC) Malware / Port 1025
http://isc.sans.org/diary.php?storyid=934

BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users