There is a new worm circulating tonight that is infecting machines that have vulnerable versions of Symantec Client Security (Ver 3) and Symantec Anti-virus Corporate edition (Ver 10). Once a machine is infected it downloads a package from an FTP server then begins to seek more vulnerable machines to infect. If you have a vulnerable version of these products you can protect yourself from this worm by downloading the patches available from Symantec.

It is not likely that this worm would infect smal networks behind a firewall or other NAT device but it is still advisable to patch any systems running these products anyway. Like with anything else of this nature, you should contact your IT department for more information or if you think your machine may be infected. If you’d like to learn more about the worm or this vulnerability the best resource right now that we are aware of is eEye.

Now for the technical types some additional information. I connected to the ftp server mentioned in the eEye article and discovered the following:

[21:38:45] 220-This Server is running since 2 days and 7:31 hours,
[21:38:45] 220-and has been accessed 91607 times, 325 in the last 24 hours.
[21:38:45] 220-There are now 1 users logged in, Max allowed : Unlimited.

It is possible that this worm has been downloaded by over 91,000 infected machines as of 9:38PM PST Friday December 15th, 2006. It does appear that the spread mysteriously slowed in the past 24 hours. It is possible that the .exe was modified to access a new FTP server and that variants already exist.

Popularity: 1% [?]