Yes, the 150DaySQLwurm (my new name for it, since we all get to make up names today) does affect MSDE. And there's no SP3 for MSDE, but I've installed the latest wrap-up patch and the resolver patch and either one seemed to do it. You have to be careful that you: 1. Make sure SQL Server is not running while you copy over the files that install the patch 2. Copy of the files onto all the instances of SQL server you have installed 3. Reboot before restarting SQL Server You should be careful (on both MSDE and SQL Server 2000) not to install just the patch for the resolver overflow, since you will then still be vulnerable to the Hello bug. Of course, if you're still vulnerable to either, you are most definately already owned, and likely should reinstall Windows to unload whatever kernel trojans are fighting over your internal data. If anyone writes a worm for the Hello bug, I hereby pre-name it the "Yo G! What's up! SQL!" worm. Dave Aitel Immunity, Inc. On Sat, 25 Jan 2003 13:56:36 -0500 "trent dilkie" <trent@dilkie.com> wrote: > Can anybody confirm that this worm is spreading on the Desktop Engine > too?(MSDE) > > Thanks, > Trent. > > -----Original Message----- > From: H D Moore [mailto:sflist@digitaloffense.net] > Sent: Saturday, January 25, 2003 6:49 AM > To: bugtraq@securityfocus.com > Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! > > > A worm which exploits a (new?) vulnerability in SQL Server is bringing > the > core routers to a grinding halt. The speed of the propagation can be > attributed to the attack method and simplicity of the code. The worm > sends a 376-byte UDP packet to port 1434 of each random target, each > vulnerable system will immediately start propagating itself. Since UDP > is > connection-less, the worm is able to spread much more quickly than > those using your standard TCP-based attack vectors (no connect > timeouts). > > Some random screen shots, a copy of the worm as a perl script, and a > disassembly (sorry, no comments) can be found online at: > > http://www.digitaloffense.net/worms/mssql_udp_worm/ > > -HD > > On Saturday 25 January 2003 01:11, Michael Bacarella wrote: > > I'm getting massive packet loss to various points on the globe. I am > > > > seeing a lot of these in my tcpdump output on each host. > > > > 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp > > 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: > > 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 > > > > It looks like there's a worm affecting MS SQL Server which is > > pingflooding addresses at some random sequence. > > > > All admins with access to routers should block port 1434 (ms-sql-m)! > > > > Everyone running MS SQL Server shut it the hell down or make sure it > > > > can't access the internet proper! > > > > I make no guarantees that this information is correct, test it out > > for yourself! > > ------------------------------------------------------- > > >
