Security Incidents mailing list archives
Re: [unisog] MS-SQL Worm?
From: Jeff Anderson-Lee <jonah () dlp CS Berkeley EDU>
Date: Wed, 21 Nov 2001 13:25:20 -0800
More details today:
Subject: The NIPC Daily Report-21 November 2001
[...]
The NIPC Daily Report Prepared by WWU 21 November 2001
[...]
Additionally, there is a new worm called W32/SQLWorm that has been found in the wild which targets insecure (default) configurations of Microsoft's SQL server that have either (1) "sa" accounts with an empty password and/or (2) the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092. The SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them. The files appear to be variants of a Distributed Denial of Service tool called "Katen" or "Kaiten." The system then connects to an IRC channel, bots.kujikiri.net, on port 6669 and starts scanning for other vulnerable systems. The NIPC has not received any specific reports of infections, but is currently monitoring this worm and will advise of any changes. Additional details on the worm can be found on the SecurityFocus.com Web site.
Re: :From: "Douglas P. Brown" <dugbrown () email unc edu> :To: incidents () securityfocus com, unisog () sans org :cc: ITS Security <security () unc edu> :Subject: [unisog] MS-SQL Worm? :Date: Tue, 20 Nov 2001 09:54:18 -0500 : : :We saw a scan come in looking for systems answering on 1433, and :immediately saw several systems start scanning out for other systems :answering on 1433 - worm behavior? Has anyone else seen this? : :thanks, :-Doug :-- :Douglas P. Brown :University of North Carolina :Manager of Security Resources :105 Abernethy Hall [91 lines deleted] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: [unisog] MS-SQL Worm? Jeff Anderson-Lee (Nov 21)