Dasher

infectionvectors.com

December 2005

Vector:             MS DTC (MS05-051)

Impact:            Medium (connects to remote server)

The first automated piece of malware built on the vulnerability announced in bulletin MS05-051, Dasher made improvements after its first iteration that allowed it to spread to a moderate number of machines in mid-December 2005.

Once the worm is executed, it installs itself with an autostart entry in the Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"Windows Update" = "%windir%\Temp\Sqltob.exe"

The “Sqltob.exe” file is of interest as it may represent an attempt by the author to name the worm in a fashion similar to Mytob and Zotob. Alternatively it is simply an entertaining nod to the virus researchers of the world – something relatively few people would find humorous.

The worm uses a series of files to complete it work. A BAT file named “sqlscan” calls the scanning application itself, “sqlscan.exe.” The latter file uses a hard-coded list of numbers to fill in the first two octets of IP addresses (used, of course, for attempting to infect new hosts). The list of numbers:

58-62

80-85

130

133

140

160

162-163

165

168

193-195

200

202-203

210-211

213

217-222

So, if one’s network address is not formed by any permutation of the above, it is not in the sights of Dasher.

Once Dasher has found a vulnerable system (it sends its exploit code to TCP 1025 in attempt to open a shell via the MSDTC vulnerability). If successful, the worm instructs the infected machine to connect to 202.240.219.143, where it would presumably receive commands from the worm’s author.

Later versions of the worm utilize the same server address to await commands, however, expand the functionality of the worm itself. A separate FTP server address, 159.226.153.2 (on TCP 21211) is added.

References

Microsoft Security Bulletin MS05-051

http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx