NEWS FROM THE LAB - Thursday, December 15, 2005

New Dasher variant Posted by Jarkko @ 15:02 GMT

ms05-051Shortly after Dasher.A, we got a sample of another variant, Dasher.B. This time the whole exploit chain is complete - the remote server where exploited machines connect to is currently up and running. The server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Both Dasher variants are using the same exploit code, released by "Swan" earlier this month.

Thanks to SANS ISC and Georg Wicherski of the German Honeynet Project for sending a sample of this variant!