|Place of Origin||China|
The Dasher worm, named after one of Santa's Reindeer, first appeared over a week before Christmas in 2005. Coding problems in the original version and a server in China that later became unavailable prevented it from spreading, but later variants were a bit more successful.
The worm scans for systems that are not patched for vulnerabilities in MSDTC and COM+, which allow remote code execution. If it finds a system responding to a TCP SYN scan, it sends its exploit code. The code instructs the system to the IP address 220.127.116.11, a defunct Chinese server, and wait for commands. The server may instruct the system to download and run the worm dropper.
Dasher's dropper is a self-extracting RAR archive, which drops the files SqlExp.exe, Sqlrep.exe, SqlScan.exe and Sqltob.exe into a temporary folder in the Windows System Folder. Sqltob.exe is the Dasher's main file. Sqlrep.exe is utilty called "Replace Commander". SqlScan.exe is a port scan utilty and SqlExp.exe is a component that is used in MSDTC exploiting.
When the main file is run, it adds the value "Windows Update = (Windows System Folder)\Temp\Sqltob.exe" to the local machine registry key that ensures that the worm runs when the computer is started.
The worm may also add the files Result.txt and SqlScan.bat to the temporary folder, which are used in exploiting.
Later variants of Dasher terminated some security processes and/or installed keystroke loggers. They also did not rely on a server to spread.
Dasher was reported to have infected at least 3,000 systems around the world in 2005.
John Leyden. The Register, "Dasher Worm Targets October Windows Vuln". 2005.12.15
Louisa Hearn. The Sydney Morning Herald, "Dasher's Sleigh Delivers a Can of Worms" . 2005.12.19
Dawn Kawamoto. CNET News, "Dasher Worm Gallops onto the Net". 2005.12.16
F-Secure Virus Information, Dasher.A
Yana Liu. Symantec.com, W32.Dasher.A