Spybot attempts to exploit old vulnerability
Symantec has confirmed the existence of a new worm called W32.Spybot.ACYR, which takes advantage of several Microsoft vulnerabilities. The worm also attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm’s attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26, 2006.
At the present time, we are seeing a spike in traffic on Port 2967 with activity only in the .edu domain. Based on Symantec’s intelligence, the impact of the attack is minimal thus far. Detection for W32.Spybot.ACY is available through rapid release sequence #61675 as W32.Spybot.Worm, but this has been subsequently renamed to W32.Spybot.ACYR. Certified definition for this worm are scheduled for release on Tuesday, November 28, 2006.
To mitigate the attack, customers are advised to update their products to the latest available security updates from Symantec. Customers are also advised to ensure that they apply all relevant patches, if they have not already done so. For those who are unable to apply the appropriate Symantec patch, it is recommended that they consider blocking Port 2967 at their firewall. Symantec Security Response will continue to monitor the situation and provide updates as needed.