This worm has about 44megs of payload. The payload is MSSQL service pack 3. What if there are worst holes in it. K On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:
So the worm is sending out tons of UDP1434 packets that let it break into MS-SQL servers and reproduce, and that's certainly annoying because of the traffic floods. But is it carrying anything else that will do more damage, or anything that leaves it a security hole to be exploited later? It would be really annoying if machines that aren't cleaned up later reformat themselves or hang out waiting for further instructions.
Also, several people have commented that restarting their MS-SQL servers stops the problem. Does it just stop the flooding, but leave code there, or does the worm strictly live in transitory data space that's really gone after a restart.
Several people have talked about bursts of ICMP or 6667 traffic, and those are probably unrelated, but maybe not. (What? More than one cracker on the net or more than one program that chokes when overloaded? Who'd'a' thunk it!)