Educause Security Discussion mailing list archives

symantec targetting worm

From: robin <mstubbs () FACSTAFF WISC EDU>
Date: Thu, 28 Dec 2006 17:51:00 -0600

Some subnets here are having a bit of trouble with a worm that
in particular seems to be going for tcp port 2967 which we would guess
is aiming for the SAVCE managed client port. In some cases the worm or
worms also goes for tcp port 139,445 and/or 5900.

Anyone seeing this and have some advice? Have worms been id'd other than
these at other edu's?

http://www.symantec.com/enterprise/security_response/weblog/2006/11/spybot_attempts_to_exploit_old.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-121309-3331-99
http://smallbiz.symantec.com/security_response/writeup.jsp?docid=2006-122314-5625-99&tabid=2

There was quite a spike in scanning in recent times:
http://isc.sans.org/port_details.php?port=2967

Speaking of possible sym06-010 exploites, here is a nice chart about
upgrading it:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248?OpenDocument&src=ent_hot&dtype=corp&seg=ent&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.1&tpre=

Current thread:

symantec targetting worm robin (Dec 28)
- <Possible follow-ups>
- Re: symantec targetting worm David Gillett (Dec 28)
- Re: symantec targetting worm Mike Iglesias (Dec 29)