Educause Security Discussion mailing list archives
Re: Exploit on port 2967
From: Jim Bollinger <JBollinger () WLU EDU>
Date: Fri, 27 Apr 2007 12:12:30 -0400
What version of Symantec are you running, i.e. does the variant you are seeing expand the scope of the vulnerability beyond those versions listed in the original Symantec advisory? Thanks, Jim Jim Bollinger Systems and Network Engineer Washington and Lee University Lexington, VA 24450 540-458-8743
Mike Hanson <MHanson () CSS EDU> 4/27/2007 11:51 AM >>>
Hello, Has anybody experienced the Symantec Corporate Edition AntiVirus stack overflow worm in the last few weeks? We got hit with it here starting this past Monday. Uses port 2967 on versions 10.0 and 10.1 of Corporate Edition. We experienced a different variant of what is posted on the Symantec site http://www.symantec.com/avcenter/security/Content/2006.05.25.html# This exploit Drops two files into C:\WINDOWS\system32\wbem these files are unsecapp32.exe and unsec.exe. It also drops ftp[1].exe in a Windows Internet temp file. This worm generated a tremendous traffic on our network. I have not been able to find much information on this variant but I noticed on SANS Internet Storm Center website there is a lot activity on port 2967. Thank you. Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 (218)-723-7097 mhanson () css edu !SIG:46321ca576082326757453!
Current thread:
- Exploit on port 2967 Mike Hanson (Apr 27)
- <Possible follow-ups>
- Re: Exploit on port 2967 Jim Bollinger (Apr 27)
- Re: Exploit on port 2967 Julian Thompson (Apr 27)