[unisog] More: Bot outbreak exploiting SYM06-010

Elliot Kendall ekendall at brandeis.edu
Tue Nov 28 21:24:36 GMT 2006

On 2006-11-28 14:47:23 -0600, robin wrote:
> Various articles keep saying "patch" as regards symantec and
> SYM06-010. I'm getting the impression (possibly wrong) that in
> Symantec lingo one doesn't patch to an "MR" level, that one has to
> install to an MR level. (Is that true?)

An attacker answered this question for me. I had an exploited machine
on the 25th, which looks like it was a manual job rather than the work
of the bots going around now. The first thing the attacker did was
patch SAV to keep anyone else from getting in the same way. Here's a
directory listing showing the relevent files:

 Volume in drive C is PRESARIO
 Volume Serial Number is 64CE-D752
 Directory of C:\RECYCLER
11/25/2006  10:34 AM               307 check.txt
11/25/2006  10:31 AM            45,056 patch.exe
11/25/2006  10:35 AM                96 patchlog.txt
11/25/2006  10:32 AM         2,997,248 SAVCE_10.0.2.2002_Frm_2000_AllWin_EN.msp
               4 File(s)      3,042,707 bytes
               0 Dir(s)  21,208,899,584 bytes free

The msp file is available from Symantec:


And there also seems to be one for going from to .2002:


I don't know how the version number maps to Symantec's notions of MR
levels, but I do know that the Metasploit plugin only works on

Elliot Kendall <ekendall at brandeis.edu>
Systems Administrator
Brandeis University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2232 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20061128/5ea010b9/attachment.bin 

More information about the unisog mailing list