FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.HLLW.Dabber

(ADSPY/Mirar.G.1, Net-Worm.Win32.Dabber.c, Backdoor:Win32/Sdbot, PAK_Generic.001, Worm/Generic.JP, Email-Worm.Win32.Svoy.a, WORM_DABBER.C, Worm/Svoy.C, Generic.dx, W32/Svoy.worm.gen, Win32/Malagent, Worm/Generic.JO, I-Worm/Svoy.C, WORM_DABBER.A, Worm/Daper.A, Generic.SBB, I-Worm/Svoy.A, Win32/Dabber.C, Worm/Dabber.A, Net-Worm.Win32.Dabber.a, Worm.Rubank.B, Worm.Win32.Dabber.a, Worm.Dabber.A, WORM_DAPER.A, Win32.Worm.Dabber.A, Win32.Svoy.A@mm)

Added to the Dr.Web virus database: 2004-05-14

Virus description added:

Description

Win32.HLLW.Dabber is a n internet-worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in Microsoft Visual C++ and is packed with UPX.
The packed size of the worm is 29, 696 bytes.

The worm propagates in the computers previously infected with Sasser .
When in a system, the worm opens port 9898 which results in a system’s compromising.
It deletes many values created in the system registry by other malicious programs.

Launching

To secure its automatic execution at every Windows startup the worm modifies the registry value
HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\SOFTWARE\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run\\\\\\\\\\\\\\\\
sassfix = %SysDir%\\\\\\\\\\\\\\\\package.exe

Spreading

In search of computers infected with Sasser the worm scans subnetworks on port TCP\\\\\\\\\\\\\\\\5554. To penetrate already infected systems the worm exploits a vulnerability of FTP server of the Sasser worm.

Action

Being activated, the worm drops its copy package.exe to the System folder (in Windows 9x/ME it’s C:\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\System, in Windows NT/2000 it’s C:\\\\\\\\\\\\\\\\WINNT\\\\\\\\\\\\\\\\System32, in Windows XP it’s C:\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\System32) and at С:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Documents and Settings\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\All Users\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Start Menu\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Startup.

To avoid repeated infections with its copies the worm creates a mutex called sas4dab.

Having infected a system, the worm opens port 9898. This opened backdoor leads to system’s compromizing and allows a remote attacker to perform actions unauthorized by its legitimate user.

When in a system, the worm deletes values created in the system registry by other malicious programs.

  • It deletes the values 
    avserve 
avserve2.exe 
avvserrve32 
BagleAV 
drvddll.exe 
Drvddll.exe 
Drvddll_exe 
drvsys 
drvsys.exe 
Generic Host Service 
Gremlin 
lsasss 
lsasss.exe 
MapiDrv 
Microsoft Update 
navapsrc.exe 
skynetave.exe 
SkynetRevenge 
soundcontrl 
ssgrate 
ssgrate.exe 
System Updater Service 
Taskmon 
TempCom 
Video 
Video Process 
Window 
windows 
Windows Drive Compatibility 
WinMsrv32
    from the system registry 
    HKEY_CURRENT_USER\\\\\\\\\\\\\\\\.DEFAULT\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run
HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\RunServices
HKEY_CURRENT_USER\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run
HKEY_LOCAL_MACHINE\\\\\\\\\\\\\\\\Software\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\CurrentVersion\\\\\\\\\\\\\\\\Run