Two new worms, suitably named after one of Santa's reindeers, have been detected by SANS and F-Secure.

Dasher A and B exploit a vulnerability in the Distributed Transaction Coordinator in Windows 2000 and XP code that was patched in October.

Dasher A was detected on Thursday but failed to spread far because it was poorly written and hosted on a server in China, which is currently down. Dasher B has a functioning server and has proved more successful.

It is based partly on exploit code released onto the web earlier in the month and scans networks for unpatched systems via port 1025. Once it finds one it installs and scans the new network.

"This new worm aims to install software that tries to infect other vulnerable systems, and can be used to log keystrokes and turn the computer into a remotely controlled 'bot' system," said a spokesman from Internet Security Systems.

"By opening suspicious emails and attachments, users install the dangerous spyware on their computers where it can cause considerable damage."

The worm is spreading relatively slowly but companies are being warned to watch for traffic spikes in port 1025, patch all systems as soon as possible and update antivirus protection.