The eEye Research honeypot network has recently detected a new worm that is attacking systems running versions of Symantec AntiVirus and Symantec Client Security. The “Big Yellow” worm leverages a remote, system-level access vulnerability to take control of machines running vulnerable (un-patched) Symantec software. Once infected, machines then download a package from an FTP server and start to seek out other vulnerable systems to attack. At the time of analysis, eEye Research was able to conclude that the FTP server had been accessed 71,513 times within 24 hours, indicating widespread worm infections.

The vulnerability was originally discovered by eEye on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first widespread worm leveraging this vulnerability for self-propagation. Generally, processes for keeping current on software patches are not in place for non-Microsoft applications such as Symantec AntiVirus/Client Security; therefore, many Symantec users may be at risk for this vulnerability.