Apparently one of my dialup users is infected, so it's likely this does affect the DE. In 5 hours one of my access servers blocked 6008 outbound udp packets to port 1434. They were blocked because the source addresses were randomized. -- Dick St.Peters, stpeters@NetHeaven.com Gatekeeper, NetHeaven, Saratoga Springs, NY trent dilkie writes: > Can anybody confirm that this worm is spreading on the Desktop Engine too? > (MSDE) > > Thanks, > Trent. > > -----Original Message----- > From: H D Moore [mailto:sflist@digitaloffense.net] > Sent: Saturday, January 25, 2003 6:49 AM > To: bugtraq@securityfocus.com > Subject: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! > > > A worm which exploits a (new?) vulnerability in SQL Server is bringing the > core routers to a grinding halt. The speed of the propagation can be > attributed to the attack method and simplicity of the code. The worm sends > a 376-byte UDP packet to port 1434 of each random target, each vulnerable > system will immediately start propagating itself. Since UDP is > connection-less, the worm is able to spread much more quickly than those > using your standard TCP-based attack vectors (no connect timeouts). > > Some random screen shots, a copy of the worm as a perl script, and a > disassembly (sorry, no comments) can be found online at: > > http://www.digitaloffense.net/worms/mssql_udp_worm/ > > -HD > > On Saturday 25 January 2003 01:11, Michael Bacarella wrote: > > I'm getting massive packet loss to various points on the globe. I am > > seeing a lot of these in my tcpdump output on each host. > > > > 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 > > 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 > > udp port ms-sql-m unreachable [tos 0xc0 > > > > It looks like there's a worm affecting MS SQL Server which is > > pingflooding addresses at some random sequence. > > > > All admins with access to routers should block port 1434 (ms-sql-m)! > > > > Everyone running MS SQL Server shut it the hell down or make sure it > > can't access the internet proper! > > > > I make no guarantees that this information is correct, test it out for > > yourself! > > ------------------------------------------------------- >
