There is a worm gaining momentum, which is attacking vulnerable Symantec Antivirus installations. The patch to fix the vulnerability was released in June ’06 but unfortunately the patch has to be manually installed, not distributed through live update.

eEye.com has a nice write up on the worm.

Things you can do to mitigate this vulnerability while you deploy the patch include:

1. Block port 2967 in and out of your network at the border gateway
2. If you can, take the extra step and also block that port at your VLAN ACLs, permitting that port to/from only your server subnet
3. Block access to “NL.exe” Granted, if the file name changes this becomes ineffective
4. Remove administrative privileges from normal users. The worm deletes wuauclt.exe from %SystemRoot%\system32\ and replaces it with its own copy. Administrator access is required to write to %SystemRoot%\system32\
5. Prevent writing of %SystemRoot%\system32\wins\svchost.exe

This one is particularly nasty for enterprise networks because its scanning routine scans the local subnet of the compromised workstation. Its highly likely that if there is one vulnerable machine on the network there are others.

For more information about this topic

• When Blackberries Become Carriers
• Conficker FUD?
• More on conficker
• Network worms are still effective
• The Future of AV?
• AV must innovate or die
• The conquerer of AV?
• Your AV *still* sucks and you know it…
• Micro defense in depth
• Your AV sucks and you know it…