Worm Targets October Windows Flaw

Both F-Secure and the SANS Institute's Internet Storm Center (ISC) said that the worm, dubbed Dasher.b, had been nabbed by the Honeypot Project, a German group that deploys exposed PCs to attract malicious code and capture samples. The worm exploits the MSDTC vulnerability disclosed by Microsoft in its October patch batch.

In late November, Microsoft issued a security advisory that acknowledged proof-of-concept code against the MSDTC bug was circulating, but said that the code couldn't actually execute remotely.

Dasher.b, however, uses that proof-of-exploit code to infect Windows 2000 and XP PCs, and then to download a keylogger from a remote server. The keylogger is cloaked by a rootkit, said F-Secure in an online alert. As of mid-Thursday, the remote server was online and operating.

On Wednesday, Dasher.a, the original version of the worm, appeared, but made no headway as its code was "quite unstable," according to F-Secure.

In hindsight there was warning of Dasher's imminent arrival. A large jump in scanning for port 1025 was detected since Thursday, Dec. 8 by the ISC and Symantec. Several days ago, Symantec noted that "attackers have been observed using the RPC endpoint mapper [accessible via port 1025] to enumerate systems that may be vulnerable to the Microsoft Windows MSDTC Memory Corruption Vulnerability."

Users can patch against the Dasher.b worm by applying the fix in October's MS05-051 bulletin.