14 DAY TRIAL // Symantec has warned of the discovery of W32.Spybot.ACYR, a new worm that targets an array of old vulnerabilities dating as far back as July 16, 2003. Spybot.ACYR is designed to exploit a number of seven vulnerabilities, five in Microsoft products, one in Symantec products and one Multiple Vendor FTPD realpath Vulnerability.
The following vulnerabilities are associated with Microsoft products:
- The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026) - The Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bullettin MS05-017) - The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007) - The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bullettin MS05-017) - The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040)
In fact, users of unpatched versions of Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP are vulnerable to attacks.
Additionally, vulnerabilities in Symantec Client Security and Symantec AnitVirus Elevation of privilege are also a vector for the worm's spreading alongside network shares protected by weak passwords.
"At the present time, we are seeing a spike in traffic on Port 2967 with activity only in the .edu domain. Based on Symantec's intelligence, the impact of the attack is minimal thus far. Detection for W32.Spybot.ACY is available through rapid release sequence #61675 as W32.Spybot.Worm, but this has been subsequently renamed to W32.Spybot.ACYR. Certified definitions for this worm are scheduled for release on Tuesday, November 28, 2006," revealed Symantec.
Updating the software you are deploying accordingly will protect you against this threat. Another mitigating factor could be the blocking of Port 2967 at your firewall.