[28640] in bugtraq
Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
daemon@ATHENA.MIT.EDU (cstone)
Sat Jan 25 14:43:09 2003
Date: Sat, 25 Jan 2003 06:07:42 -0600
From: cstone <cstone@pobox.com>
To: Michael Bacarella <mbac@netgraft.com>
Message-ID: <20030125120742.GB22449@pobox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030125021141.A23211@romulus.netgraft.com>
On Sat, Jan 25, 2003 at 02:11:41AM -0500, Michael Bacarella wrote:
> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
yeah. i guess it's an old vulnerability, but i don't keep up on
this stuff.
however, i have disassembled the code inside; all it does is send
itself to pseudorandomly generated hosts.
there is an annotated disassembly at
http://www.boredom.org/~cstone/worm-annotated.txt
--cstone@pobox.com
