Symantec on Monday said that while worm-scanning activity against its corporate antivirus software had increased over the weekend, the number of infected systems had dropped. According to the security company's own DeepSight sensor network, scanning activity on TCP port 2967 is up. That scanning, said Symantec, is thought to originate with what it calls the "Sagevo" worm, also known as "Big Yellow."
"We're seeing a decrease in the number of unique IP addresses," says Vincent Weafer, senior director with Symantec's security response team. "But we're seeing more scanning activity. That actually makes sense, because as there are fewer unpatched systems, the remaining [infected systems] send out even more scans looking for a target. It eventually reaches a saturation [point]." The number of IP addresses associated with port 2967 scanning has fallen off 80% since late last week, Weafer said.