Re: [unisog] MS-SQL Worm?

From: Jeff Anderson-Lee (jonahat_private)
Date: Wed Nov 21 2001 - 13:25:20 PST

Next message: Rob Keown: "RE: MSLV.exe"

Previous message: Pascal Nobus: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More details today:

> Subject: The NIPC Daily Report-21 November 2001
[...]
> The NIPC Daily Report
> Prepared by WWU
> 21 November 2001
[...]
> Additionally, there is a new worm called W32/SQLWorm that has been found in
> the wild which targets insecure (default) configurations of Microsoft's SQL
> server that have either (1) "sa" accounts with an empty password and/or (2)
> the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in
> Microsoft Security Bulletin MS00-092.  The SQL Worm reportedly propagates
> itself by scanning for systems that have opened port 1433.  When it finds a
> system that has the port open, it downloads the files dnsservice.exe,win
> 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and
> starts them.  The files appear to be variants of a Distributed Denial of
> Service tool called "Katen" or "Kaiten."  The system then connects to an IRC
> channel, bots.kujikiri.net, on port 6669 and starts scanning for other
> vulnerable systems.  The NIPC has not received any specific reports of
> infections, but is currently monitoring this worm and will advise of any
> changes.  Additional  details on the worm can be found on the
> SecurityFocus.com Web site.

Re:
 :From:  "Douglas P. Brown" <dugbrownat_private>
 :To:  incidentsat_private, unisogat_private
 :cc:  ITS Security <securityat_private>
 :Subject:  [unisog] MS-SQL Worm?
 :Date:  Tue, 20 Nov 2001 09:54:18 -0500
 :
 :
 :We saw a scan come in looking for systems answering on 1433, and
 :immediately saw several systems start scanning out for other systems
 :answering on 1433 - worm behavior?  Has anyone else seen this?
 :
 :thanks,
 :-Doug
 :-- 
 :Douglas P. Brown
 :University of North Carolina
 :Manager of Security Resources
 :105 Abernethy Hall
 [91 lines deleted]

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Keown: "RE: MSLV.exe"
Previous message: Pascal Nobus: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 16:07:41 PST