.A bit late in the game, but I was taking a brief look at the Dasher worm today for a friend. Is anyone else amazed by the lack of "quality" in these worms? It spreads over a publicly available exploit for the MS05-051 MSDTC vulnerability by launching a seperate executable (not very elegant). The exploit is hard coded to return control to an address in China, 222.240.219.143, that appears to currently be down.
It scans for targets also via means of a seperate executable, SqlScan.exe (even further reducing the elegance of this worm). The IP scanning "algorithm" cycles through a list of 36 first octets, randomly chooses the second octet and completely sweeps the third and fourth octets. Not sure what the logic was behind the decision of the first octet, here are the country mappings from some random IP to country web based resolver I screen scraped:
$ sh resolve_first_octet_countries.sh
58.1.1.1: Japan
59.1.1.1: Republic Of Korea
60.1.1.1: China
61.1.1.1: India
62.1.1.1: Greece
80.1.1.1: United Kingdom
81.1.1.1: France
82.1.1.1: United Kingdom
83.1.1.1: Poland
84.1.1.1: Hungary
85.1.1.1: Switzerland
130.1.1.1: United States
133.1.1.1: Japan
140.1.1.1: United States
159.1.1.1: United States
160.1.1.1: United States
162.1.1.1: United States
163.1.1.1: United Kingdom
165.1.1.1: United States
168.1.1.1: Switzerland
192.1.1.1: United States
193.1.1.1: Ireland
194.1.1.1: Slovakia
195.1.1.1: Norway
200.1.1.1: Venezuela
202.1.1.1: Australia
203.1.1.1: Australia
210.1.1.1: Thailand
211.1.1.1: Japan
213.1.1.1: United Kingdom
217.1.1.1: Germany
218.1.1.1: China
219.1.1.1: Japan
220.1.1.1: Japan
221.1.1.1: China
222.1.1.1: Japan
Any other interesting facets to this thing? Mostly a dead issue by now I suspect. Again, this was a very brief look and I apologize in advance for any inaccuracies.
-pedram
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}