Dabber worm detected (TCP_Dabber_Sweep)

About this signature or vulnerability

RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE Agent for Server, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:

This signature detects a TCP sweep of a subnet for open Sasser (port 5554) ports. This indicates that the Dabber Worm is scanning for Sasser infected hosts to infect. This signature has a 5 minute delay due to TCP service sweep false positive handling. The delay can be removed by setting pam.tcp.sweep.syn=true. The event detail 'victim-ip-addr' indicates the subnets being scanned, rather than a single destination IP address.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

RealSecure Server Sensor: XPU 22.31, RealSecure Network: XPU 22.31, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IDS: XPU 22.31, Proventia-G 1.1 and earlier: XPU 22.31, Proventia Network MFS: XPU 1.29, RealSecure Desktop: baseline

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Unauthorized Access Attempt

Vulnerability description

Dabber is an Internet worm that exploits a stack-based buffer overflow in a system infected with the Sasser worm. Dabber propagates by scanning for Sasser-infected hosts on TCP port 5554. Dabber installs itself and deletes the registry keys of Sasser and other viruses. The worm creates a backdoor on TCP port 9898, allowing a client system to connect. A remote attacker can gain unauthorized access to the system. Dabber has been detected.

How to remove this vulnerability

Use an up-to-date antivirus program to determine if the target computer is host to this worm. If the program detects a worm, follow its instructions to disinfect and repair the computer.

References

LURHQ Web site
Dabber Worm Analysis
http://www.lurhq.com/dabber.html

ISS X-Force
Dabber worm detected
http://www.iss.net/security_center/static/16244.php