Does the Worm have another Payload besides 1434 Floods?
So the worm is sending out tons of UDP1434 packets that let it break into MS-SQL servers and reproduce, and that's certainly annoying because of the traffic floods. But is it carrying anything else that will do more damage, or anything that leaves it a security hole to be exploited later? It would be really annoying if machines that aren't cleaned up later reformat themselves or hang out waiting for further instructions. Also, several people have commented that restarting their MS-SQL servers stops the problem. Does it just stop the flooding, but leave code there, or does the worm strictly live in transitory data space that's really gone after a restart. Several people have talked about bursts of ICMP or 6667 traffic, and those are probably unrelated, but maybe not. (What? More than one cracker on the net or more than one program that chokes when overloaded? Who'd'a' thunk it!)
From: "Stewart, William C (Bill), SALES"
But is it carrying anything else that will do more damage, or anything that leaves it a security hole to be exploited later? It would be really annoying if machines that aren't cleaned up later reformat themselves or hang out waiting for further instructions.
All disassembly analasis made shows that it is a simplistic worm designed to break in, execute, and start sending itself out. No system damage or host embedding has been detected. The writer of the worm had no intentions of causing permanent damage.
Also, several people have commented that restarting their MS-SQL servers stops the problem. Does it just stop the flooding, but leave code there, or does the worm strictly live in transitory data space that's really gone after a restart.
It's really gone after a restart.
Several people have talked about bursts of ICMP or 6667 traffic, and those are probably unrelated, but maybe not. (What? More than one cracker on the net or more than one program that chokes when overloaded? Who'd'a' thunk it!)
Paranoia. Engineers ignore a lot of things until something critical hits. Then they go overboard analyzing every little packet that doesn't seem right. In general, as most EUs are finding out as they install them pesky firewalls, the 'net is full of "noise". Jack Bates Network Engineer BrightNet Oklahoma
This worm has about 44megs of payload. The payload is MSSQL service pack 3. What if there are worst holes in it. K On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:
So the worm is sending out tons of UDP1434 packets that let it break into MS-SQL servers and reproduce, and that's certainly annoying because of the traffic floods. But is it carrying anything else that will do more damage, or anything that leaves it a security hole to be exploited later? It would be really annoying if machines that aren't cleaned up later reformat themselves or hang out waiting for further instructions.
Also, several people have commented that restarting their MS-SQL servers stops the problem. Does it just stop the flooding, but leave code there, or does the worm strictly live in transitory data space that's really gone after a restart.
Several people have talked about bursts of ICMP or 6667 traffic, and those are probably unrelated, but maybe not. (What? More than one cracker on the net or more than one program that chokes when overloaded? Who'd'a' thunk it!)
participants (3)
-
Jack Bates
-
Krzysztof Adamski
-
Stewart, William C (Bill), SALES