Fandom

Malware Wiki

Dasher

1,346pages on
this wiki
Add New Page
Comments0 Share
Dasher
Type Internet Worm
Creator
Date Discovered 2005.12.15
Place of Origin China
Source Language
Platform MS Windows
File Type(s) exe
Infection Length
Reported Costs

The Dasher worm, named after one of Santa's Reindeer, first appeared over a week before Christmas in 2005. Coding problems in the original version and an unavailable server in China prevented it from spreading, but later variants were a bit more successful.

Behavior

The worm scans for systems that are not patched for vulnerabilities in MSDTC and COM+, which allow remote code execution. If it finds a system responding to a TCP SYN scan, it sends its exploit code. The code instructs the system to the IP address 222.240.219.143, a defunct Chinese server, and wait for commands. The server may instruct the system to download and run the worm dropper.

Dasher's dropper is a self-extracting RAR archive, which drops the files SqlExp.exe, Sqlrep.exe, SqlScan.exe and Sqltob.exe into a temporary folder in the Windows System Folder. Sqltob.exe is the Dasher's main file. Sqlrep.exe is utilty called "Replace Commander". SqlScan.exe is a port scan utilty and SqlExp.exe is a component that is used in MSDTC exploiting.

When the main file is run, it adds the value "Windows Update = (Windows System Folder)\Temp\Sqltob.exe" to the local machine registry key that ensures that the worm runs when the computer is started.

The worm may also add the files Result.txt and SqlScan.bat to the temporary folder, which are used in exploiting.

Variants

Later variants of Dasher terminated some security processes and/or installed keystroke loggers.

Known Damage

Dasher infected at least 3,000 systems worldwide in 2005.

Sources

John Leyden. The Register, "Dasher Worm Targets October Windows Vuln". 2005.12.15

Louisa Hearn. The Sydney Morning Herald, "Dasher's Sleigh Delivers a Can of Worms" . 2005.12.19

Dawn Kawamoto. CNET News, "Dasher Worm Gallops onto the Net". 2005.12.16

Microsoft Security Bulletin

F-Secure Virus Information, Dasher.A

McAffee.com, W32/Dasher.worm

Yana Liu. Symantec.com, W32.Dasher.A

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.