[unisog] Worm exploiting Symantec client defect?????

Karen A Swanberg swanberg at tc.umn.edu
Mon Nov 27 23:33:24 GMT 2006

Yes. There is a bot spreading via the SAV vulnerability listed here:
The C&C is at www.flackware.info, and their DNS has changed at least three
times today.

This pops fully patched (OS-wise) 2000/XP boxes, unless the SAV port is
firewalled (2967).

I have not done the work on this, others have. I suspect a more thorough
write up is on the way. Please don't ask me more, this is all I know.

on 11/27/06, at 5:22pm -0500, Gary Flynn wrote:

> Anyone know anything more about what SANS
> is reporting on this?
> http://isc.sans.org//index.php
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-                                                     -
Karen Swanberg                  University of Minnesota
            Office of Information Technology
             Security and Assurance (OITSec)
-         swanberg :at: umn.edu | 612-625-8807        -

    "I wanna live, I wanna experience the universe,
              and I wanna eat pie." -Urgo

More information about the unisog mailing list