SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Dabber.A

MEDIUM
LOW
29696 bytes (packed)
(W32/Dabber-A (Sophos))

Symptoms

Presence of package.exe in "c:\Documents and Settings\All Users\Start Menu\Programs\Startup", "%windir%\All Users\Main menu\Programs\StartUp" and "%system32%" folders and in processes list.

Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "sassfix" pointing to "%system32%\packer.exe".

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on package.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sassfix registry key
* delete the enumerated files in the symptoms section

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

When run the worm tries to copy itself in the three folders shown above, then creates a mutex called "sas4dab" in order to avoid reinfection.

After that it tries to remove the following keys from registry:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\(Default)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Video
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avserve
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avvserrve32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avvserrve32
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\avserve2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsasss
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ssgrate
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsys.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvsys.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvsys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll_exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll_exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Drvddll.exe

and all the following strings:
Microsoft Update
windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
lsasss.exe
drvddll.exe
ssgrate.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window

from the following keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources