Looks like another vulnerability gone automated. Symantec AntiVirus and Client Security Software had a serious security issue announced on May 24, 2006 but a patch was released by June 12, 2006. Public exploits just started appearing around the end of November, perhaps as prototype attacks, and have now achieved self-propagation status. Symantec software, and especially antivirus software, is usually pretty good at staying up to date if configured properly. Unfortunately, it appears many thousands of systems are vulnerable and spreading the infection and thus we have the Big Yellow Worm. The software at risk only runs on Windows (any version):
Symantec AntiVirus 10.0.x
Symantec AntiVirus 10.1.x
Symantec Client Security 3.0.x
Symantec Client Security 3.1.x
The countermeasure to prevent infection is trivial — update to the latest version. In the meantime blocking port tcp/2967 where practical (it’s the default used by Symantec to update) might help stop the worm spread. And of course the other anti-virus vendors can identify the botnet trojan that the worm installs so if you happen to have a second set running alongside Symantec, you should be covered. Of course, that also requires the latest update/signature to be installed.