Home / malwarePDF  

Win32.Worm.Dabber.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Dabber.A is also known as W32/Dabber-A, (Sophos.

Explanation :

When run the worm tries to copy itself in the three folders shown above, then creates a mutex called "sas4dab" in order to avoid reinfection.

After that it tries to remove the following keys from registry:
HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}InProcServer32(Default)
HKLMSoftwareMicrosoftWindowsCurrentVersionRunGremlin
HKCUSoftwareMicrosoftWindowsCurrentVersionRunGremlin
HKLMSoftwareMicrosoftWindowsCurrentVersionRunTaskMon
HKCUSoftwareMicrosoftWindowsCurrentVersionRunTaskMon
HKLMSoftwareMicrosoftWindowsCurrentVersionRunVideo
HKCUSoftwareMicrosoftWindowsCurrentVersionRunavserve
HKLMSoftwareMicrosoftWindowsCurrentVersionRunavserve
HKCUSoftwareMicrosoftWindowsCurrentVersionRunavvserrve32
HKLMSoftwareMicrosoftWindowsCurrentVersionRunavvserrve32
HKCUSoftwareMicrosoftWindowsCurrentVersionRunavserve2.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunavserve2.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRunlsasss.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlsasss.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRunlsasss
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlsasss
HKCUSoftwareMicrosoftWindowsCurrentVersionRunssgrate.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunssgrate.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRunssgrate
HKLMSoftwareMicrosoftWindowsCurrentVersionRunssgrate
HKCUSoftwareMicrosoftWindowsCurrentVersionRundrvsys.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRundrvsys.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRundrvsys
HKLMSoftwareMicrosoftWindowsCurrentVersionRundrvsys
HKCUSoftwareMicrosoftWindowsCurrentVersionRunDrvddll_exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunDrvddll_exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRunDrvddll.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunDrvddll.exe

and all the following strings:
Microsoft Update
windows
Windows Drive Compatibility
Generic Host Service
skynetave.exe
navapsrc.exe
lsasss.exe
drvddll.exe
ssgrate.exe
WinMsrv32
soundcontrl
System Updater Service
BagleAV
MapiDrv
SkynetRevenge
TempCom
Video Process
Window

from the following keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices

Last update 21 November 2011

 

TOP

Malware :