Win32.Worm.Dabber.A( W32/Dabber-A (Sophos) )
SYMPTOMS: Presence of package.exe in \"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\", \"%windir%\\All Users\\Main menu\\Programs\\StartUp\" and \"%system32%\" folders and in processes list.Presence in start-up registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" of the string \"sassfix\" pointing to \"%system32%\\packer.exe\". TECHNICAL DESCRIPTION: When run the worm tries to copy itself in the three folders shown above, then creates a mutex called \"sas4dab\" in order to avoid reinfection.After that it tries to remove the following keys from registry: HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32\\(Default) HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Gremlin HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Gremlin HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\TaskMon HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\TaskMon HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Video HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avserve HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avserve HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avvserrve32 HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avvserrve32 HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avserve2.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\avserve2.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsasss.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsasss.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsasss HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\lsasss HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ssgrate.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ssgrate.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ssgrate HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ssgrate HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\drvsys.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\drvsys.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\drvsys HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\drvsys HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Drvddll_exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Drvddll_exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Drvddll.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Drvddll.exe and all the following strings: Microsoft Update windows Windows Drive Compatibility Generic Host Service skynetave.exe navapsrc.exe lsasss.exe drvddll.exe ssgrate.exe WinMsrv32 soundcontrl System Updater Service BagleAV MapiDrv SkynetRevenge TempCom Video Process Window from the following keys: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKCU\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices Removal instructions: Manual removal:* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP * use End Process in Processes tab on package.exe * open Registry Editor typing [WIN]+[R]regedit[ENTER] * remove the HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sassfix registry key * delete the enumerated files in the symptoms section Automatic removal: let BitDefender disinfect infected files ANALYZED BY: Mircea CiubotariuBitDefender Virus Researcher |