Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

[Tom Kyle <tom () eos umsl edu>]

Am also seeing this.  Whatever it is, it's EXTREMELY talkative.  Filled up 
my PIX 535's memory with its connections.  And that was two infected hosts.  
This is nasty, just nasty.  Shooting from the hip, it looks like it might
(emphasis on might) be infecting via IIS.

Tom

Thomas A. Kyle
University of Missouri-St. Louis
tkyle () jinx umsl edu
(314) 516-6012

> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m:  udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!
>
> -- 
> Michael Bacarella                  24/7 phone: 646 641-8662
> Netgraft Corporation                   http://netgraft.com/
>       "unique technologies to empower your business"
>
> Finger email address for public key.  Key fingerprint:
>   C40C CB1E D2F6 7628 6308  F554 7A68 A5CF 0BD8 C055