Trio of trouble: Malcode targets Windows, IM users

News Analysis

Trio of trouble: Malcode targets Windows, IM users

Bill Brenner, News Writer

IT administrators have three reasons to be on guard Friday:

A worm called Dasher is targeting a Windows flaw that Microsoft patched two months ago. The prolific Bagle family of worms and Trojans is acting up again. And a Trojan called Banbra is spreading through IM programs.

According to Cupertino, Calif.-based Symantec Corp., Dasher-B is spreading via the Microsoft Windows Distributed Transaction Coordinator (MSDTC) Memory Corruption vulnerability. The software giant released a patch for the flaw Oct. 11.

As of Friday morning, Symantec said in an e-mail to customers of its DeepSight Threat Management System that "one of the FTP servers used by a member of the W32.Dasher family is reporting that over 3,000 hosts have connected to it, which serves as a good estimate of affected hosts."

More on Bagle

Bagle variant spread as worm and Trojan (second item)

Bagle variants spammed to millions

Several Bagle variants on the march

Finnish firm F-Secure reported in its daily lab blog that the remote server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Symantec advised users to:

  • Ensure that the Windows patch released in October is applied to all vulnerable systems; and
  • Ensure that unsolicited incoming traffic to TCP port 1025 is blocked at the network perimeter.

Meanwhile, PandaLabs, a unit of Glendale, Calif.-based Panda Software, warned that Bagle-FU is spreading by e-mail. "The attack begins with the distribution, in a series of e-mails, of the worm components of Bagle-FU, compressed in files with names like,, or, among others," Panda said. "When these files are opened and run, they install the Trojan, which automatically tries to download a file from a long list of URLs. They also open an image of the Windows logo as other threats have previously done."

The Bethesda, Md.-based SANS Internet Storm Center said on its Web site that IT administrators should "keep your eyes peeled, especially if your users are reading their mail over Webmail."

Finally, San Diego-based Akonix Systems Inc. warned of a new Trojan named W32.Banbra-BOK, which spreads through IM. It propagates via an executable called fotoimagem.exe, which is downloaded when a user clicks on an IM link typically from the domain.

The Trojan is designed to monitor a user's access to financial Web sites and steal passwords from users while they are on a site. "The Trojan then sends the password information to an e-mail address where the information can be used without the user's knowledge," the firm said. "Banbra-BOK is difficult to recognize, as it does not display any messages or warnings that indicate it has reached a computer."

This article originally appeared on

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy