Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > December 2005 > AusCERT Update AU-2005.0022 - [Win] Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties (MS05-051)

December 2005

AusCERT Update AU-2005.0022 - [Win] Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties (MS05-051)

ID: 01105
Ref: 1037/2005
Date: 16 December 2005:09:02:16
Version: 1
Title: AusCERT Update AU-2005.0022 - [Win] Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties (MS05-051)
Abstract: AusCERT Update AU-2005.0022 - [Win] Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties (MS05-051)
Vendors affected: AusCERT
Operating systems affected: AusCERT
Applications affected: AusCERT
Title
=====

AusCERT Update AU-2005.0022 - [Win]
Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties
(MS05-051)

Detail
======

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2005.0022 - [Win]
Dasher.A and Dasher.B worm targeting MSDTC and COM+ vulnerabilties
(MS05-051)
16 December 2005

AusCERT Update Summary
----------------------

Product: Microsoft Windows 2000 SP 4 and prior
Microsoft Windows XP SP2 and prior
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1 and prior
Microsoft Windows Server 2003 x64 Edition
Operating System: Windows
Impact: Administrator Compromise
Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2005-2119 CAN-2005-1979 CAN-2005-1978

Ref: AU-2005.0021
AL-2005.0032


AusCERT would like to update members with further information regarding
exploits targeting the MS05-051 MSDTC vulnerability as outlined in AusCERT's
10 December 2005 bulletin, AU-2005.0021 [1].

The increased scanning activity to port 1025 appears to have started on 8
December and returned to normal levels on 12 December. Analysis [1] has shown
that the use of a centralised distribution point combined with the poor quality
of the exploit code limited the impact of this particular worm. The worm, now
called 'Dasher.A' by some anti-virus companies, is currently detected as
follows (output from virustotal.com):

AntiVir 6.33.0.61 12.15.2005 no virus found
Avast 4.6.695.0 12.15.2005 no virus found
AVG 718 12.15.2005 no virus found
Avira 6.33.0.61 12.15.2005 no virus found
BitDefender 7.2 12.15.2005 no virus found
CAT-QuickHeal 8.00 12.15.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 12.15.2005 no virus found
DrWeb 4.33 12.15.2005 Win32.HLLW.Dasher
eTrust-Iris 7.1.194.0 12.15.2005 Win32/SqlTob.85394!Trojan
eTrust-Vet 12.3.3.0 12.15.2005 no virus found
Fortinet 2.54.0.0 12.15.2005 suspicious
F-Prot 3.16c 12.15.2005 virus dropper
Ikarus 0.2.59.0 12.16.2005 no virus found
Kaspersky 4.0.2.24 12.15.2005 Exploit.Win32.MS05-051.b
McAfee 4651 12.15.2005 W32/Dasher.worm
NOD32v2 1.1325 12.15.2005 no virus found
Norman 5.70.10 12.15.2005 no virus found
Sophos 4.00.0 12.16.2005 no virus found
Symantec 8.0 12.16.2005 W32.Dasher.A
TheHacker 5.9.1.056 12.15.2005 no virus found
VBA32 3.10.5 12.15.2005 suspected of Trojan.StartPage.66

Additionally, there are now reports of a new worm using the same vulnerability,
known as Dasher.B. It exhibits the following behaviour:

- scans /16 networks for vulnerable hosts on TCP port 1025
- attempts to open a command shell to 222.240.219.143 on TCP port 53
- this shell attempts to open an FTP connection on port TCP 21211 to
159.226.153.2 and install further malware
- may also connect to 202.104.237.216 on port TCP 80
- attempts to install a keystroke logging trojan

One of the infection files for Dasher.B is currently detected as (output from
virustotal.com):

AntiVir 6.33.0.61 12.15.2005 no virus found
Avast 4.6.695.0 12.15.2005 no virus found
AVG 718 12.15.2005 no virus found
Avira 6.33.0.61 12.15.2005 no virus found
BitDefender 7.2 12.15.2005 BehavesLike:Win32.AV-Killer
CAT-QuickHeal 8.00 12.15.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 12.15.2005 no virus found
DrWeb 4.33 12.15.2005 no virus found
eTrust-Iris 7.1.194.0 12.15.2005 no virus found
eTrust-Vet 12.3.3.0 12.15.2005 no virus found
Fortinet 2.54.0.0 12.16.2005 no virus found
F-Prot 3.16c 12.15.2005 no virus found
Ikarus 0.2.59.0 12.16.2005 no virus found
Kaspersky 4.0.2.24 12.16.2005 Net-Worm.Win32.Reporter
McAfee 4651 12.15.2005 W32/Dasher.worm
NOD32v2 1.1325 12.15.2005 no virus found
Norman 5.70.10 12.15.2005 no virus found
Panda 8.02.00 12.15.2005 no virus found
Sophos 4.00.0 12.16.2005 W32/Dasher-B
Symantec 8.0 12.16.2005 W32.Dasher.B
TheHacker 5.9.1.056 12.15.2005 no virus found
VBA32 3.10.5 12.15.2005 no virus found


iQCVAwUBQ6I0qSh9+71yA2DNAQL7ewP/VrI9Gd4x2eX1BRPxTevRTfx5pEdGQyGZ
7AmdZ04mVZH4N/5hd88aV8Xal7GtdPmg0MHnlzyRCWasexAfNzmntoU/RjA2oLg6
JE7LMqKA7wcsuzJXyFONottnaynfTVjuFyrZSpzsGp3zvq92+H6KEP8my1OlQ5X0
HCGQ8Qkyv5c=
=KAUy
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |