In-Reply-To: <20030125021141.A23211@romulus.netgraft.com> We can confirm it here in Toronto, Canada. Even though the effect was minimal to us, we saw many major networks dissappear on the Internet. The effect is like a LAN denial of service attack. The requests are distributed over port 1434 UDP to multicast addresses. If the multicast on the router is enabled, this can multiply the effect to WAN. You have to patch your MS-SQL Server to the highest service pack. But, here is the funny thing, we had a MS-Project Server 2002 installed on a test machine with MSDE running. There is no service pack 3 for MSDE 2000 yet, but there is a hotfix to solve the problem. That hotfix requires service pack 2. When we tried to install service pack 2 for MSDE, it gave an error. On the Microsoft web site, it says that SOME! of the MSDE installations require the service pack 2 to be installed only from an update CD but not from the Internet. I think it's going to be a while for all the networks to install these patches properly to stop these attack. Meanwhile I also recommend the sys admins to block the outgoing 1434TCP/UDP as well. Incoming blocking might protect some of your servers but if you are already effected, at least try to contain this in your LAN by blocking the outgoing ports. I hope someone will reverse engineer this worm and tell us exactly what it did. Umit >It looks like there's a worm affecting MS SQL Server which is >pingflooding addresses at some random sequence. > >All admins with access to routers should block port 1434 (ms-sql-m)! > >Everyone running MS SQL Server shut it the hell down or make >sure it can't access the internet proper! > >I make no guarantees that this information is correct, test it >out for yourself!
