High Port 5000 Traffic Indicates Kibuv.b Worm At Work

The latest alert, which notes "extremely heavy activity" on port 5000, is "almost certainly a worm-related activity," said Alfred Huger, the vice president of engineering for Symantec's virus watch group.

The suspected culprit is the Kibuv.b worm, which hit the Internet over the weekend and exploits a vulnerability in Windows' Universal Plug and Play (UPnP) service within Windows 98, Me, and XP. The UPnP vulnerability was first disclosed and patched in late 2001.

"Kibuv.b is taking advantage of a long-ago-patched vulnerability," said Huger, "but we don't consider it a critical threat at the moment."

The quick climb in port 5000 traffic, he said, shows that the worm is getting some traction. A caveat, however, is that the port is infrequently used, so any spike gets the attention of DeepSight, Symantec's global network of sensors that spot developing exploits.

"It's business as usual on the Internet today," said Huger.

Patches for the UPnP vulnerability can be downloaded from the Microsoft Web site or via the Windows Update service.

This story courtesy of TechWeb .