From: "Stewart, William C (Bill), SALES"
But is it carrying anything else that will do more damage, or anything that leaves it a security hole to be exploited later? It would be really annoying if machines that aren't cleaned up later reformat themselves or hang out waiting for further instructions.
All disassembly analasis made shows that it is a simplistic worm designed to break in, execute, and start sending itself out. No system damage or host embedding has been detected. The writer of the worm had no intentions of causing permanent damage.
Also, several people have commented that restarting their MS-SQL servers stops the problem. Does it just stop the flooding, but leave code there, or does the worm strictly live in transitory data space that's really gone after a restart.
It's really gone after a restart.
Several people have talked about bursts of ICMP or 6667 traffic, and those are probably unrelated, but maybe not. (What? More than one cracker on the net or more than one program that chokes when overloaded? Who'd'a' thunk it!)
Paranoia. Engineers ignore a lot of things until something critical hits. Then they go overboard analyzing every little packet that doesn't seem right. In general, as most EUs are finding out as they install them pesky firewalls, the 'net is full of "noise". Jack Bates Network Engineer BrightNet Oklahoma