Yellow Worm spreads via vulnerability in Symantec anti-virus software
Seven months after publication of a critical vulnerability in Symantec anti-virus products by eEye, the vulnerability is once more causing a stir. eEye has issued warnings about "Yellow Worm", which infects systems via the vulnerability and turns them into bots. To do so it downloads further files from a remote server.
Back in May, eEye flagged up the vulnerability's potential for a worm outbreak. Since Symantec's anti-virus products are installed on around 200 million business and private systems, concerns about a worm outbreak were not unreasonable. However, at the time, there were no signs of any worms spreading via the vulnerability, especially as an update in June fixed the problem. Clearly this update has not been installed on a large number of computers.
eEye has been observing the download server of the worm for some time and has apparently determined that files have been downloaded by 60,000 different systems. Yellow Worm installs programs including a key logger. eEye gives a detailed description of the bot and worm in its advisory.
Symantec also has the worm on its radar and has named it Sagevo. However, by Saturday Symantec had received reports from just three affected customers. The supplier has told US media that it has been unable to identify anything above normal background noise. Nevertheless, the company has now confirmed, as part of its DeepSight network, which monitors many thousands of customers, some spikes in its port access statistics which are caused by Sagevo. The Internet Storm Center has likewise observed such an increase. Over the last few days they have registered a considerable increase in scans on TCP port 2967, the port on which the Symantec client listens for incoming connections from the management and update server.
Symantec has released signatures to recognise this piece of malware. Some other anti-virus scanners remain at present blind to this threat. eEye recommends that users check that the latest versions of
Symantec AntiVirus 10.0.x for Windows
Symantec AntiVirus 10.1.x for Windows
Symantec Client Security 3.0.x for Windows
Symantec Client Security 3.1.x for Windows
are installed as soon as possible. In addition, firewalls should be set to block port 2967.