Attempting to migrate from 10.x to a newer version fails after becoming infected with a worm which exploits SYM06-010

Article:TECH102079  |  Created: 2007-01-04  |  Updated: 2007-01-11  |  Article URL http://www.symantec.com/docs/TECH102079
Article Type
Technical Solution

Product(s)

Issue



You attempt to migrate to a newer version of Symantec Client Security or Symantec AntiVirus after becoming infected with Spybot.worm. You have noticed that the migration fails and you are unable to install the newer version of Symantec Client Security.


Solution



This can happen if the Symantec AntiVirus service stops responding after the infection. To solve the problem, remove the worm that Symantec AntiVirus detects before you begin migration.

To remove the worm and migrate Symantec AntiVirus
  1. Disconnect the computer from the network.
  2. On a different, uninfected computer, go to the Symantec Security Response Threat Explorer, and search for the name of the worm.
  3. Follow the removal instructions in the writeup for that worm.
  4. Restart the computer.
  5. Migrate to a version of Symantec Client Security or Symantec AntiVirus that is not vulnerable to the vulnerability described in Advisory SYM06-010.


If you are still unable to migrate, you may need to disable the Symantec AntiVirus service manually.

To disable the Symantec AntiVirus service
  1. Turn off Tamper Protection.
  2. In the Services applet in the Control Panel, set the Symantec AntiVirus service to Manual.
  3. Restart the computer.
  4. Migrate to a version of Symantec Client Security or Symantec AntiVirus that is not vulnerable to the vulnerability described in Advisory SYM06-010.


Note: In order to prevent reinfection, all vulnerable software on the computer must be updated to protect against this threat. Upgrading Symantec Client Security alone is not sufficient if the worm still has other entry points.






Technical Information
Additional Information:


Threat Advisory Center: Spybot Worm Causing Network Problems

Removal tool for the .ADMN variant of SpyBot: http://www.symantec.com/security_response/writeup.jsp?docid=2007-010316-2308-99&tabid=3



Legacy ID



2007010412434648


Article URL http://www.symantec.com/docs/TECH102079


Terms of use for this information are found in Legal Notices