Educause Security Discussion mailing list archives

Re: Exploit on port 2967

From: Jim Bollinger <JBollinger () WLU EDU>
Date: Fri, 27 Apr 2007 12:12:30 -0400

What version of Symantec are you running, i.e. does the variant you are
seeing expand the scope of the vulnerability beyond those versions
listed in the original Symantec advisory?

Thanks, Jim

Jim Bollinger
Systems and Network Engineer
Washington and Lee University
Lexington, VA 24450
540-458-8743

Mike Hanson <MHanson () CSS EDU> 4/27/2007 11:51 AM >>>

Hello,

Has anybody experienced the Symantec Corporate Edition AntiVirus stack
overflow worm in the last few weeks? We got hit with it here starting
this past Monday. Uses port 2967 on versions 10.0 and 10.1 of
Corporate
Edition. We experienced a different variant of what is posted on the
Symantec site
http://www.symantec.com/avcenter/security/Content/2006.05.25.html#


This exploit Drops two files into C:\WINDOWS\system32\wbem  these
files
are unsecapp32.exe and unsec.exe. It also drops ftp[1].exe in a
Windows
Internet temp file.

This worm generated a tremendous traffic on our network.

I have not been able to find much information on this variant but I
noticed on SANS Internet Storm Center website there is a lot activity
on
port 2967.

Thank you.





Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811

(218)-723-7097
mhanson () css edu

!SIG:46321ca576082326757453!

Current thread:

Exploit on port 2967 Mike Hanson (Apr 27)
- <Possible follow-ups>
- Re: Exploit on port 2967 Jim Bollinger (Apr 27)
- Re: Exploit on port 2967 Julian Thompson (Apr 27)