Article

Trio of trouble: Malcode targets Windows, IM users

Bill Brenner

IT administrators have three reasons to be on guard Friday:

A worm called Dasher is targeting a Windows flaw that Microsoft patched two months ago. The prolific Bagle family of worms and Trojans is acting up again. And a Trojan called Banbra is spreading through IM programs.

According to Cupertino, Calif.-based Symantec Corp., Dasher-B is spreading via the

    Requires Free Membership to View

Microsoft Windows Distributed Transaction Coordinator (MSDTC) Memory Corruption vulnerability. The software giant released a patch for the flaw Oct. 11.

As of Friday morning, Symantec said in an e-mail to customers of its DeepSight Threat Management System that "one of the FTP servers used by a member of the W32.Dasher family is reporting that over 3,000 hosts have connected to it, which serves as a good estimate of affected hosts."

More on Bagle

Bagle variant spread as worm and Trojan (second item)

Bagle variants spammed to millions

Several Bagle variants on the march

Finnish firm F-Secure reported in its daily lab blog that the remote server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Symantec advised users to:

  • Ensure that the Windows patch released in October is applied to all vulnerable systems; and
  • Ensure that unsolicited incoming traffic to TCP port 1025 is blocked at the network perimeter.

Meanwhile, PandaLabs, a unit of Glendale, Calif.-based Panda Software, warned that Bagle-FU is spreading by e-mail. "The attack begins with the distribution, in a series of e-mails, of the worm components of Bagle-FU, compressed in files with names like Edmund.zip, Elizabeth.zip, or Henrie.zip, among others," Panda said. "When these files are opened and run, they install the Trojan, which automatically tries to download a file from a long list of URLs. They also open an image of the Windows logo as other threats have previously done."

The Bethesda, Md.-based SANS Internet Storm Center said on its Web site that IT administrators should "keep your eyes peeled, especially if your users are reading their mail over Webmail."

Finally, San Diego-based Akonix Systems Inc. warned of a new Trojan named W32.Banbra-BOK, which spreads through IM. It propagates via an executable called fotoimagem.exe, which is downloaded when a user clicks on an IM link typically from the hometown.aol.com domain.

The Trojan is designed to monitor a user's access to financial Web sites and steal passwords from users while they are on a site. "The Trojan then sends the password information to an e-mail address where the information can be used without the user's knowledge," the firm said. "Banbra-BOK is difficult to recognize, as it does not display any messages or warnings that indicate it has reached a computer."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: