Iowa State University

ITInformation Technology

W32/Sagevo Worm Exploits Symantec Anti-Virus Package

This news item expired January 4, 2007. It may contain out-of-date information.
This week, several machines on campus have been blocked for what appears to be the W32/Sagevo worm. This worm exploits a vulnerability in Symantec Client Security and Symantec AntiVirus Corporate 10 to infect a computer. Once infected, the machine will scan selected IP addresses for other vulnerable machines, then download and execute a copy of Backdoor.Wualess.B, a remote control Trojan. Infected machines should be assumed to be compromised and treated accordingly.

Users of Symantec Client Security and Symantec Antivirus Corporate 10 should update their software as described in http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html
(dated May 25,2006). The Norton Antivirus product line and earlier versions of Symantec Antivirus Corporate are not affected.

Symantec Antivirus users can detect and remove the worm with the Daily LiveUpdate or Intelligent Updater from December 14, 2006 or with the Weekly LiveUpdate from December 20, 2006. For more information see
http://www.symantec.com/security_response/writeup.jsp?docid=2006-121309-3331-99&tabid=1.

Machines using McAfee VirusScan are not vulnerable to this exploit; however, VirusScan can detect and remove the worm with the 4922 DAT files, released December 19, 2006. For more information, see
http://vil.nai.com/vil/content/v_141124.htm.