North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Does the Worm have another Payload besides 1434 Floods?
- From: Krzysztof Adamski
- Date: Sat Jan 25 22:50:37 2003
This worm has about 44megs of payload. The payload is MSSQL service pack 3.
What if there are worst holes in it.
On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:
> So the worm is sending out tons of UDP1434 packets
> that let it break into MS-SQL servers and reproduce,
> and that's certainly annoying because of the traffic floods.
> But is it carrying anything else that will do more damage,
> or anything that leaves it a security hole to be exploited later?
> It would be really annoying if machines that aren't cleaned up
> later reformat themselves or hang out waiting for further instructions.
> Also, several people have commented that restarting their
> MS-SQL servers stops the problem. Does it just stop the flooding,
> but leave code there, or does the worm strictly live in
> transitory data space that's really gone after a restart.
> Several people have talked about bursts of ICMP or 6667 traffic,
> and those are probably unrelated, but maybe not.
> (What? More than one cracker on the net or more than one
> program that chokes when overloaded? Who'd'a' thunk it!)