Educause Security Discussion mailing list archives
Exploit on port 2967
From: Mike Hanson <MHanson () CSS EDU>
Date: Fri, 27 Apr 2007 10:51:46 -0500
Hello, Has anybody experienced the Symantec Corporate Edition AntiVirus stack overflow worm in the last few weeks? We got hit with it here starting this past Monday. Uses port 2967 on versions 10.0 and 10.1 of Corporate Edition. We experienced a different variant of what is posted on the Symantec site http://www.symantec.com/avcenter/security/Content/2006.05.25.html# This exploit Drops two files into C:\WINDOWS\system32\wbem these files are unsecapp32.exe and unsec.exe. It also drops ftp[1].exe in a Windows Internet temp file. This worm generated a tremendous traffic on our network. I have not been able to find much information on this variant but I noticed on SANS Internet Storm Center website there is a lot activity on port 2967. Thank you. Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 (218)-723-7097 mhanson () css edu
Current thread:
- Exploit on port 2967 Mike Hanson (Apr 27)
- <Possible follow-ups>
- Re: Exploit on port 2967 Jim Bollinger (Apr 27)
- Re: Exploit on port 2967 Julian Thompson (Apr 27)