Does the Worm have another Payload besides 1434 Floods?

Krzysztof Adamski k at adamski.org
Sun Jan 26 03:08:20 UTC 2003


This worm has about 44megs of payload. The payload is MSSQL service pack 3.
What if there are worst holes in it.

K

On Sat, 25 Jan 2003, Stewart, William C (Bill), SALES wrote:

> 
> So the worm is sending out tons of UDP1434 packets 
> that let it break into MS-SQL servers and reproduce,
> and that's certainly annoying because of the traffic floods.
> But is it carrying anything else that will do more damage,
> or anything that leaves it a security hole to be exploited later?
> It would be really annoying if machines that aren't cleaned up
> later reformat themselves or hang out waiting for further instructions.
> 
> Also, several people have commented that restarting their 
> MS-SQL servers stops the problem.  Does it just stop the flooding,
> but leave code there, or does the worm strictly live in
> transitory data space that's really gone after a restart.
> 
> Several people have talked about bursts of ICMP or 6667 traffic,
> and those are probably unrelated, but maybe not.
> (What?  More than one cracker on the net or more than one 
> program that chokes when overloaded?   Who'd'a' thunk it!)
> 




More information about the NANOG mailing list