ITS Homepage Click here for text version of ITS homepage University at AlbanyUAlbany Site IndexUAlbany Search
alerts_tag
ITS Alert
Keylogger worm activity associated with Microsoft MS05-051 vulnerability


ALARM Group ALERT ¿ click for a description of ALARM, The Computing Alert System
Alert Number:  121605-01
Alert Date:  12/16/05
Alert Title:  Keylogger worm activity associated with Microsoft MS05-051 vulnerability
Update-to:  
101105-01 "Microsoft releases security bulletin for October"
101205-01 "TCP port 3372 blocked in response to Microsoft DTC and COM+ exploit"
101705-01 "Microsoft publishes workaround for MS05-051 issues"
OS/Platform/Application:
Windows Server 2003 (including Service Pack 1, x64 Edition, and SP1 for Itanium-based Systems )
Windows XP (Service Packs 1 and 2, also XP Professional x64 Edition)
Windows 2000 Service Pack 4
Windows Millennium Edition (Me)
Windows 98, 98 Second Edition (SE)
Category:  UPDATE
Severity:  HIGH
Attention:  Windows System Administrators, Desktop Support Personnel

Summary:  During the past several days various Internet security monitoring and analysis agencies have been reporting a rise in TCP port 1025 traffic on the Internet.  At the time of this writing (12/16/05) the consensus among many of these agencies is that the traffic represents scanning activity associated with a new variant of the dasher worm (dasher.b).  This worm exploits a vulnerability in the MSDTC and COM+ processes that was addressed by Microsoft Security Advisory MS05-051
on October 11 2005. Upon exploitation of the vulnerability the worm apparently downloads a rootkit and keylogger.

Recommended Actions:  Windows system managers and support personnel are encouraged to verify that Update MS05-051 has been installed on all systems within their scope of responsibility.  It is strongly recommended that administrators of unpatched systems read the bulletin (including all potential caveats) and (if appropriate) apply the patch immediately as per the instructions provided by the vendor. 

ITS Actions:  TCP/UDP port 1025 has been blocked on the University¿s Main Router-Internet Connection and also RESNet Router - Internet connection in an attempt to block scanning activity (from off-campus) associated with this worm.

Resources:

Security Bulletin MS05-051 **CRITICAL** Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx

Microsoft Security Advisory 909444:
http://www.microsoft.com/technet/security/advisory/909444.mspx

Microsoft Knowledge Base Article 909444:
http://support.microsoft.com/kb/909444

F-secure definition of dasher.b:
http://www.f-secure.com/v-descs/dasher_b.shtml

SANS Handler's Diary for port 1025 activity:
http://isc.sans.org/diary.php?storyid=934
 
 

BLANKABCDEFGHIJKLMBLANK
BLANKNOPQRSTUVWXYZBLANK
CHOOSE FROM the ITS Site Index

GO TO an ITS Group

Information Technology Services
University at Albany, SUNY
1400 Washington Avenue
Albany, NY 12222
ITS Service Centers:  518-442-4000
  		University at Albany Home Page
Contact UAlbany | Directories | Calendars | Visitors | Site Index | Search
Admissions | Academics | Research | IT Services | Libraries | Athletics
Internet Privacy Policy              IT Policies