Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: trent dilkie (trent_at_dilkie.com)
Date: Sat Jan 25 2003 - 12:56:36 CST
Can anybody confirm that this worm is spreading on the Desktop Engine too?
From: H D Moore [mailto:sflistdigitaloffense.net]
Sent: Saturday, January 25, 2003 6:49 AM
Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
A worm which exploits a (new?) vulnerability in SQL Server is bringing the
core routers to a grinding halt. The speed of the propagation can be
attributed to the attack method and simplicity of the code. The worm sends
a 376-byte UDP packet to port 1434 of each random target, each vulnerable
system will immediately start propagating itself. Since UDP is
connection-less, the worm is able to spread much more quickly than those
using your standard TCP-based attack vectors (no connect timeouts).
Some random screen shots, a copy of the worm as a perl script, and a
disassembly (sorry, no comments) can be found online at:
On Saturday 25 January 2003 01:11, Michael Bacarella wrote:
> I'm getting massive packet loss to various points on the globe. I am
> seeing a lot of these in my tcpdump output on each host.
> 02:06:31.017088 184.108.40.206.3047 > 220.127.116.11.ms-sql-m: udp 376
> 02:06:31.017244 18.104.22.168 > 22.214.171.124: icmp: 126.96.36.199
> udp port ms-sql-m unreachable [tos 0xc0
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
> All admins with access to routers should block port 1434 (ms-sql-m)!
> Everyone running MS SQL Server shut it the hell down or make sure it
> can't access the internet proper!
> I make no guarantees that this information is correct, test it out for