Name: Worm.Win32.Dabber. Category: Viruses Description: Details Worm.Win32.Dabber.a This worm spreads via the Internet using a vulnerability in the FTP component of Worm.Win32.Sasser. The worm itself is a Windows PE EXE file, 29696 bytes in size, packed using UPX. Installation When installing, the worm copies itself to the Windows system directory under the name package.exe c:Documents and SettingsAll UsersStart MenuProgramsStartup %windir%All UsersMain menuProgramsStartUp The worm registers this file in the system registry auto-run key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun "sassfix"="%System%package.exe" The worm searches the system registry for keys installed by Sasser and deletes them. avserve2.exe avvserrve32 avserve skynetave.exe and deletes them. It also searches for and deletes keys installed by other worms: Video Microsoft Update Drvddll.exe Drvddll_exe drvsys drvsys.exe ssgrate ssgrate.exe lsasss lsasss.exe Taskmon Gremlin Window Video Process TempCom SkynetRevenge MapiDrv BagleAV System Updater Service soundcontrl WinMsrv32 drvddll.exe navapsrc.exe Generic Host Service Windows Drive Compatibility windows The worm scans networks for random IP addresses, searching for victim machines which have the ftp component of Sasser installed on port 5554. When the worm finds a suitable victim machine, it sends a vulnerability exploit to it to infect the system. It then launches the command shell on port 8967. It also installs a backdoor on port 9898 to receive external commands.