Dasher Worm On the Prowl, Infects 3,000 Machines

Dasher.b, the first worm to successfully attack the MSDTC flaw disclosed and patched Oct. 11, was detected Thursday by honeypot PCs, with several security vendors rushing out alerts that same day.

According to Symantec, once Dasher.b has infected a PC, it first contacts a central command and control server located at IP address 222.240.219.143. In turn, that server then via TCP tells the compromised computer to download a malicious payload from a remote FTP server at 159.226.153.2.

"One of the FTP servers used by Dasher is reporting that over 3,000 hosts have connected to it, which serves as a good estimate of affected hosts," Symantec said in a warning issued to customers of its DeepSight Threat Management System (TMS). "TMS data corroborates this infection estimate," the alert continued.

Symantec, along with other security vendors, have recommended that users immediately apply the patch from Microsoft's MS05-051 bulletin, or failing that, filter all unsolicited traffic incoming on TCP port 1025, which is evidently being used to scan for vulnerable PCs.

One security vendor hypothesized that Dasher.b might be making inroads because of the problems many users had deploying the patch back in October.

Days after MS05-051 was released, Windows users complained that the patch was buggy. Microsoft revised the bulletin to offer work-arounds for people whose machines had been showing a variety of off-beat behaviors, including blank screens and an inability to access Windows Update.

"The worry is that the problems with the patch may have prevented it from being successfully rolled out onto some vulnerable computers," said Graham Cluley, a senior consultant for U.K.-based Sophos, in a statement.

"In any case, Microsoft will be fuming that a virus writer is successfully exploiting another vulnerability in their operating system," he added.