'Big Yellow' worm exploits slow Symantec patchers

Worm spotted targeting 6-month-old vulnerability in AV products.

An alert has been issued by eEye Digital Security researchers for a new worm, which they have called 'Big Yellow', exploiting a vulnerability in Symantec products detected and patched six months ago.

The worm, which Symantec is calling W32.Sagevo, targets a flaw in the remote management interface of Symantec Antivirus and Symantec Client Security products for Windows to gain escalated privileges for spreading, as well as attempting to download a backdoor trojan.

The flaw was patched by Symantec in June, a few weeks after its discovery. Symantec noted existence of exploit code two weeks ago, and still rate the risk as 'low', with only a handful of reports of users affected by the worm. However, SANS among others has reported increased activity targeting the port used by the worm, and anyone still running Symantec products not updated since June is advised to apply the patch.

Symantec's announcement of the flaw is here, and eEye's alert on the worm is here.

18 December 2006

Tags: virus del.icio.us digg this