Educause Security Discussion mailing list archives

Exploit on port 2967

From: Mike Hanson <MHanson () CSS EDU>
Date: Fri, 27 Apr 2007 10:51:46 -0500

Hello,

Has anybody experienced the Symantec Corporate Edition AntiVirus stack
overflow worm in the last few weeks? We got hit with it here starting
this past Monday. Uses port 2967 on versions 10.0 and 10.1 of Corporate
Edition. We experienced a different variant of what is posted on the
Symantec site
http://www.symantec.com/avcenter/security/Content/2006.05.25.html#


This exploit Drops two files into C:\WINDOWS\system32\wbem  these files
are unsecapp32.exe and unsec.exe. It also drops ftp[1].exe in a Windows
Internet temp file.

This worm generated a tremendous traffic on our network.

I have not been able to find much information on this variant but I
noticed on SANS Internet Storm Center website there is a lot activity on
port 2967.

Thank you.





Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811

(218)-723-7097
mhanson () css edu

Current thread:

Exploit on port 2967 Mike Hanson (Apr 27)
- <Possible follow-ups>
- Re: Exploit on port 2967 Jim Bollinger (Apr 27)
- Re: Exploit on port 2967 Julian Thompson (Apr 27)