Dabber worm detected (TCP_Dabber_Sweep)

About this signature or vulnerability

RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects a TCP sweep of a subnet for open Sasser (port 5554) ports. This indicates that the Dabber Worm is scanning for Sasser infected hosts to infect. This signature has a 5 minute delay due to TCP service sweep false positive handling. The delay can be removed by setting pam.tcp.sweep.syn=true. The event detail 'victim-ip-addr' indicates the subnets being scanned, rather than a single destination IP address.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

RealSecure Server Sensor: XPU 22.31, RealSecure Network: XPU 22.31, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 1.29, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 22.31, Proventia-G 1.1 and earlier: XPU 22.31, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Unauthorized Access Attempt

Vulnerability description

Dabber is an Internet worm that exploits a stack-based buffer overflow in a system infected with the Sasser worm. Dabber propagates by scanning for Sasser-infected hosts on TCP port 5554. Dabber installs itself and deletes the registry keys of Sasser and other viruses. The worm creates a backdoor on TCP port 9898, allowing a client system to connect. A remote attacker can gain unauthorized access to the system. Dabber has been detected.

How to remove this vulnerability

Use an up-to-date antivirus program to determine if the target computer is host to this worm. If the program detects a worm, follow its instructions to disinfect and repair the computer.

References

LURHQ Web site
Dabber Worm Analysis
http://www.lurhq.com/dabber.html

ISS X-Force
Dabber worm detected
http://www.iss.net/security_center/static/16244.php