New Dasher variant

Shortly after Dasher.A, we got a sample of another variant. This time the whole exploit chain is complete - the remote server where exploited machines connect to is currently up and running. The server instructs infected machines to download two files: a copy of the worm itself and a keylogger. The keylogger hides itself with a rootkit driver.

Both Dasher variants are using the same exploit code, released by "Swan" earlier this month. F-Secure : News from the Lab - December of 2005

Linked by shanmuga Friday, 16th December 2005 2:34AM