Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Does the Worm have another Payload besides 1434 Floods?

  • From: Krzysztof Adamski
  • Date: Sat Jan 25 22:50:37 2003

This worm has about 44megs of payload. The payload is MSSQL service pack 3.
What if there are worst holes in it.


On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:

> So the worm is sending out tons of UDP1434 packets 
> that let it break into MS-SQL servers and reproduce,
> and that's certainly annoying because of the traffic floods.
> But is it carrying anything else that will do more damage,
> or anything that leaves it a security hole to be exploited later?
> It would be really annoying if machines that aren't cleaned up
> later reformat themselves or hang out waiting for further instructions.
> Also, several people have commented that restarting their 
> MS-SQL servers stops the problem.  Does it just stop the flooding,
> but leave code there, or does the worm strictly live in
> transitory data space that's really gone after a restart.
> Several people have talked about bursts of ICMP or 6667 traffic,
> and those are probably unrelated, but maybe not.
> (What?  More than one cracker on the net or more than one 
> program that chokes when overloaded?   Who'd'a' thunk it!)

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.