Does the Worm have another Payload besides 1434 Floods?
Krzysztof Adamski
k at adamski.org
Sun Jan 26 03:08:20 UTC 2003
This worm has about 44megs of payload. The payload is MSSQL service pack 3.
What if there are worst holes in it.
K
On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:
>
> So the worm is sending out tons of UDP1434 packets
> that let it break into MS-SQL servers and reproduce,
> and that's certainly annoying because of the traffic floods.
> But is it carrying anything else that will do more damage,
> or anything that leaves it a security hole to be exploited later?
> It would be really annoying if machines that aren't cleaned up
> later reformat themselves or hang out waiting for further instructions.
>
> Also, several people have commented that restarting their
> MS-SQL servers stops the problem. Does it just stop the flooding,
> but leave code there, or does the worm strictly live in
> transitory data space that's really gone after a restart.
>
> Several people have talked about bursts of ICMP or 6667 traffic,
> and those are probably unrelated, but maybe not.
> (What? More than one cracker on the net or more than one
> program that chokes when overloaded? Who'd'a' thunk it!)
>
More information about the NANOG
mailing list