Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
Malware type: Worm
Aliases: Backdoor.Win32.Shodabot.i (Kaspersky), W32/Sdbot.worm.gen.d (McAfee), W32.Spybot.Worm (Symantec), Worm/IrcBot.89600 (Avira), Mal/Generic-A (Sophos), Worm:Win32/Danshbot.A (Microsoft)
In the wild: Yes
Platform: Windows 95, 98, ME, NT, 2000, XP
Overall risk rating:
This worm spreads via network shares, and takes advantage of the following Windows vulnerabilities to propagate across networks:
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
This worm attempts to log on to systems using a list of passwords hardcoded in its body. It then drops a copy of itself in all accessed machines.
This worm has backdoor capabilities and may execute commands issued by a remote user. It also terminates several processes related to security applications.
For additional information about this threat, see:
Description created: Feb. 24, 2005 12:21:22 PM GMT -0800
File type: PE
Memory resident: Yes
Size of malware: 89,600 Bytes (compressed)190,464 Bytes (Uncompressed)
Ports used: Random
Initial samples received on: Feb 24, 2005
Compression type: UPX
Vulnerability used: (MS04-011) Security Update for Microsoft Windows (835732), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS04-022) Vulnerability in Task Scheduler Could Allow Code Execution (841873)
Installation and Autostart
Upon execution, this memory-resident worm drops a copy of itself as DESKTOP.EXE in the Windows system folder. It may add the following registry keys to enable its automatic execution upon Windows startup:
It also creates the following registry entries to complete its installation:
restrictanonymous = "dword:00000001"
AutoShareServer = "dword:00000000"
AutoShareWks = "dword:00000000"
This worm spreads through network shares. It lists down the available network shares, then attempts to drop a copy of itself to found shares. It also generates IP addresses, and attempts to drop a copy of itself to the target address default shares, as follows:
It also generates IP addresseses, and attempts to drop a copy of itself to a target address default shares, such as the following:
This worm also attempts to access systems with weak passwords, and drop a copy of itself on successfully accessed machines. It uses the following hardcoded list of passwords:
(Note: %Username% is the login name of the user currently logged to the system.)
This worm exploits the Task Scheduler Vulnerability that could allow a malicious user or a malware to take complete control of an affected system, if the affected user is currently logged on with administrative privileges. More information about this vulnerability is available from the following Microsoft page:
This worm takes advantage of the Windows LSASS vulnerability. This vulnerability is a buffer overrun that allows remote code execution. Detailed information about this vulnerability is available from the following Microsoft page:
This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows platforms, which enables arbitrary codes to execute on the server.
The following link offers more information from Microsoft about this vulnerability:
This worm connects to port 6667 (a normal mIRC port) and joins a specific channel where it listens for commands from the remote malicious user.
Some of these commands are as follows:
Analysis By: Melvin Dantis Dadios
Minimum scan engine version needed: 6.810
Pattern file needed: 2.443.05
Pattern release date: Feb 24, 2005
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
Identifying the Malware Program
To remove this malware, first identify the malware program.
Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micros free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Restoring EnableDCOM and RestrictAnonymous Registry Entries
This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_DANSHBOT.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.
This malware exploits known vulnerabilities in Windows. Download and install the fix patches from the following Web pages:
Refrain from using this product until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
Trend Micro offers best-of-breed antivirus and content-security solutions for your
small and medium business,
or home PC.
Connect with us on
| | | |