Educause Security Discussion mailing list archives

Re: symantec targetting worm

From: David Gillett <gillettdavid () FHDA EDU>
Date: Thu, 28 Dec 2006 17:02:13 -0800

  It hasn't been getting enough traction here to cause problems.
Most of the source addresses claim to be dial-ups in Slovenia.
Haven't seen 139 or 445, but other addresses have been scanning
5900.

David Gillett

-----Original Message-----
From: robin [mailto:mstubbs () FACSTAFF WISC EDU]
Sent: Thursday, December 28, 2006 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] symantec targetting worm

Some subnets here are having a bit of trouble with a worm
that in particular seems to be going for tcp port 2967 which
we would guess is aiming for the SAVCE managed client port.
In some cases the worm or worms also goes for tcp port
139,445 and/or 5900.

Anyone seeing this and have some advice? Have worms been id'd
other than these at other edu's?

http://www.symantec.com/enterprise/security_response/weblog/20
06/11/spybot_attempts_to_exploit_old.html
http://www.symantec.com/security_response/writeup.jsp?docid=20
06-121309-3331-99
http://smallbiz.symantec.com/security_response/writeup.jsp?doc
id=2006-122314-5625-99&tabid=2

There was quite a spike in scanning in recent times:
http://isc.sans.org/port_details.php?port=2967

Speaking of possible sym06-010 exploites, here is a nice
chart about upgrading it:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/20
06052609181248?OpenDocument&src=ent_hot&dtype=corp&seg=ent&pro
d=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.1&tpre=

Current thread:

symantec targetting worm robin (Dec 28)
- <Possible follow-ups>
- Re: symantec targetting worm David Gillett (Dec 28)
- Re: symantec targetting worm Mike Iglesias (Dec 29)