> Subject: MSSQL Server Worm CERT Advisory
>
> CERT has now posted CERT Advisory CA-2003-04 MS-SQL Server Worm
> at: http://www.cert.org/advisories/CA-2003-04.html detailing
> their analysis of the worm.
>From owner-ldm-users@xxxxxxxxxxxxxxxx 25 2003 Jan -0500 15:49:41
Date: 25 Jan 2003 15:49:41 -0500
From: Dan Vietor <devo@xxxxxxxxxxxxx>
In-Reply-To: <1043525470.3170.58.camel@isostasy>
To: Jeff Wolfe <wolfe@xxxxxxxxxxx>
Subject: Re: Major Internet Disruptions since last night
Received: (from majordo@localhost)
by unidata.ucar.edu (UCAR/Unidata) id h0PKncq22210
for ldm-users-out; Sat, 25 Jan 2003 13:49:38 -0700 (MST)
Received: from bbmail1-out.unisys.com (bbmail1-out.unisys.com [192.63.108.40])
by unidata.ucar.edu (UCAR/Unidata) with ESMTP id h0PKnb622206
for <ldm-users@xxxxxxxxxxxxxxxx>; Sat, 25 Jan 2003 13:49:38 -0700 (MST)
Organization: UCAR/Unidata
Keywords: 200301252049.h0PKnb622206
Received: from sdosrv4 (sdosrv4.ks.unisys.com [192.62.131.2])
by bbmail1-out.unisys.com (8.9.3/8.9.3) with SMTP id UAA22169;
Sat, 25 Jan 2003 20:45:38 GMT
Received: from wxplinux by sdosrv4 (SMI-8.6/SMI-SVR4)
id PAA29464; Sat, 25 Jan 2003 15:49:39 -0500
Cc: ldm-users@xxxxxxxxxxxxxxxx
References:
<Pine.GSO.4.33.0301251450360.4320-100000@xxxxxxxxxxxxxxxxxxxxxx>
<3E32DDB3.9080505@xxxxxxxx> <1043525470.3170.58.camel@isostasy>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8 (1.0.8-10)
Message-Id: <1043527781.1349.17.camel@wxplinux>
Mime-Version: 1.0
Sender: owner-ldm-users@xxxxxxxxxxxxxxxx
Precedence: bulk
On Sat, 2003-01-25 at 15:11, Jeff Wolfe wrote:
> The worm had(has?) a very small payload, only 300 or so bytes. It's
> enough to compromise an unpatched MS SQL server (patch released 7/2002)
> over UDP port 1434. Once compromised, the worm enters an infinite loop
> and generates pseudo-random IP addresses to send itself to. The UDP
> flows are generated as fast as the system is able to send packets.
> Flow based routers like Cisco 6500s running buggy code are unable to
> deal with the massive amount of unique flows and crash, which further
> complicating matters.
If you block 1434, it won't totally solve the problem. On our office
LAN, 6 computers got infected and even though 1434 is blocked, these
computers are still saturating the LAN with UDP ping traffic. These
computers are pushing packets into the network as fast as they can and
can saturate even a 100 MBit LAN. Even though we have connectivity to
the Internet, the local LAN traffic was so bad nothing was getting
through or just timing out.
So if you suspect computers are infected, the best solution may be to
pull them off the network until they are disinfected.
--
________________________________________________________
Daniel Vietor Mail: devo@xxxxxxxxxxxxx
Unisys Corp Title: Engineer/Meteorologist
221 Gale Lane Phone: 610-925-5206
Kennett Square PA 19348 Fax: 610-925-5215
