Trio of trouble: Malcode targets Windows, IM users

AV firms warn IT shops to guard against Dasher, Bagle and Banbra. Dasher targets a Windows flaw patched in October, while Banbra spreads through IM.

IT administrators have three reasons to be on guard Friday:

A worm called Dasher is targeting a Windows flaw that Microsoft patched two months ago. The prolific Bagle family of worms and Trojans is acting up again. And a Trojan called Banbra is spreading through IM programs.

According to Cupertino, Calif.-based Symantec Corp., Dasher-B is spreading via the Microsoft Windows Distributed Transaction Coordinator (MSDTC) Memory Corruption vulnerability. The software giant released a patch for the flaw Oct. 11.

As of Friday morning, Symantec said in an e-mail to customers of its DeepSight Threat Management System that "one of the FTP servers used by a member of the W32.Dasher family is reporting that over 3,000 hosts have connected to it, which serves as a good estimate of affected hosts."

More on Bagle

Bagle variant spread as worm and Trojan (second item)

Bagle variants spammed to millions

Several Bagle variants on the march

Finnish firm F-Secure reported in its daily lab blog that the remote server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Symantec advised users to:

  • Ensure that the Windows patch released in October is applied to all vulnerable systems; and
  • Ensure that unsolicited incoming traffic to TCP port 1025 is blocked at the network perimeter.

Meanwhile, PandaLabs, a unit of Glendale, Calif.-based Panda Software, warned that Bagle-FU is spreading by e-mail. "The attack begins with the distribution, in a series of e-mails, of the worm components of Bagle-FU, compressed in files with names like Edmund.zip, Elizabeth.zip, or Henrie.zip, among others," Panda said. "When these files are opened and run, they install the Trojan, which automatically tries to download a file from a long list of URLs. They also open an image of the Windows logo as other threats have previously done."

The Bethesda, Md.-based SANS Internet Storm Center said on its Web site that IT administrators should "keep your eyes peeled, especially if your users are reading their mail over Webmail."

Finally, San Diego-based Akonix Systems Inc. warned of a new Trojan named W32.Banbra-BOK, which spreads through IM. It propagates via an executable called fotoimagem.exe, which is downloaded when a user clicks on an IM link typically from the hometown.aol.com domain.

The Trojan is designed to monitor a user's access to financial Web sites and steal passwords from users while they are on a site. "The Trojan then sends the password information to an e-mail address where the information can be used without the user's knowledge," the firm said. "Banbra-BOK is difficult to recognize, as it does not display any messages or warnings that indicate it has reached a computer."

This article originally appeared on SearchSecurity.com.

Read more on Operating systems software