Cart
Win32.Worm.Dabber.A( W32/Dabber-A (Sophos) )
SYMPTOMS: Presence of package.exe in "c:\Documents and Settings\All Users\Start Menu\Programs\Startup", "%windir%\All Users\Main menu\Programs\StartUp" and "%system32%" folders and in processes list.Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "sassfix" pointing to "%system32%\packer.exe". TECHNICAL DESCRIPTION: When run the worm tries to copy itself in the three folders shown above, then creates a mutex called "sas4dab" in order to avoid reinfection.After that it tries to remove the following keys from registry: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\(Default) HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Video HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avserve HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avvserrve32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avvserrve32 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avserve2.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve2.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsasss HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsys.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvsys.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsys HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvsys HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll_exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll_exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll.exe and all the following strings: Microsoft Update windows Windows Drive Compatibility Generic Host Service skynetave.exe navapsrc.exe lsasss.exe drvddll.exe ssgrate.exe WinMsrv32 soundcontrl System Updater Service BagleAV MapiDrv SkynetRevenge TempCom Video Process Window from the following keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Removal instructions: Manual removal:* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP * use End Process in Processes tab on package.exe * open Registry Editor typing [WIN]+[R]regedit[ENTER] * remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sassfix registry key * delete the enumerated files in the symptoms section Automatic removal: let BitDefender disinfect infected files ANALYZED BY: Mircea Ciubotariu BitDefender Virus Researcher |