Anything Forums

The Register Link

Dabber exploits Sasser flaw
By John Leyden (john.leyden@theregister.co.uk)
Published Friday 14th May 2004 10:50 GMT

Virus writers have created a worm that exploits coding flaws in the infamous Sasser worm to spread.

Dabber (http://www.lurhq.com/dabber.html) uses a flaw in the FTP server component of the Sasser worm. The worm will only infect users already infected by Sasser, according to security services firm LURHQ. "Even though we have seen worms utilize backdoors left behind by other worms, this is the first time we have seen a worm using a vulnerability in another worm in order to propagate," it said.

Worms like Doomjuice and Deadhat exploited the back doors opened by the MyDoom virus to spread (http://www.theregister.co.uk/2004/02/10 ... doom_back/) but using flaws in virus code to propagate other malicious code is a significant departure. Dabber, first spotted yesterday, is spreading, but only to a modest extent, possibly because the spreading mechanism is quite complex.

Dabber scans for Sasser-infected hosts on port 5554. When it finds infected PCs it uses code from a Sasser-FTP exploit developed by "mandragore" of the Romanian Security Research team to seize control of PCs. Dabber than installs itself and deletes the registry keys of Sasser and other viruses. It creates a backdoor on infected machines on TCP port 9898 allowing hackers to download additional code, which might be far more malicious than Dabber itself.

To remove Dabber LURHQ advises users to kill the package.exe process using the Windows Task Manager. Remove the "sassfix" registry key. Delete package.exe from the Windows system directory and all start-up folders. Anti-virus vendors are in the process of developing signature updates to automatically detect and remove the worm. ®

Archived topic from Iceteks, old topic ID:2316, old post ID:19653

That is kind of funny, a security flaw in a worm. hahaha so now other worms can exploit worms. LOL

Archived topic from Iceteks, old topic ID:2316, old post ID:19773

oh the insaneity of it all?
the gov's of the world are sending out worms to infect the virus writers computers which will drop their own firewalls to let all the other worms from other writers come in and mess up their computers.

but they virus writers dont see that coming and keep on writting their evil worms and virus's .

whats that you say?? they can not track one person backwards on the net?? bahahhaha :laughalien.gif:

they just showed on the local news here how some one in another state got or almost got ripped off. they sold things on the internet to some one in nigeria, and they sent a check to the sellers bank. the bank told them the person sent 31.200 dollars the items did not cost that much so the seller sent the over amount back to the bank in london that had cashed the check, just then sellers bank had sent a message to the seller that the check was a fake not to send the money or the items, the london bank held the money but could not send it back to her as some sort of proof from someplace else or some such nonsense was needed.

so the seller contacted a p.eye, and they got on the net and used some secret gov software to track the emails until they found the person that sent them, even though he was in another country and spoofed the locations the email was sent from.
they found him is the main point one person in the www, they sent the seller the money back some 27,000 dollars and the seller never sent the items so they were lucky i guess.

so that what was said to be impossible to do was done.

they can find you they will find you they know where your at they know what you had for dinner every day the last year.

we know who you are.

Archived topic from Iceteks, old topic ID:2316, old post ID:19821