[ale] [Fwd: RE: MS SQL WORM and PORT 1434!]

Chuck Huber chuck at cehuber.org
Sat Jan 25 20:18:10 EST 2003 

On Sat, Jan 25, 2003 at 05:33:32PM -0500, Geoffrey wrote:
> So I'm curious as to why you have so many hits and I have so little.  I 
> assume these are not residential connections, and they are possibly 
> advertised servers on them?  Maybe the worm is hitting more well known 
> subnets.  Likely BellSouth more so then, say my smaller ISP Speedfactory?

Perhaps.  I'd think it unlikely, though, that this is the reason. Since
the worm is propagating via MS SQL server, it's less likely to hit
address books and the such than if the worm were propagated via Outlook.

I'd expect that I'd have twice as many hits since I have two interfaces
facing the internet... at least until DTV cuts me off.

>From Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

    When W32.SQLExp.Worm compromises a machine it does the following:

        * Uses the Windows API Function, GetTickCount, to generate
          a random IP address to which to send the malicious packet
          containing itself.
        * Repeatedly sends itself to all generated IP addresses, to
          UDP port 1434 from an ephemeral source port.


    W32.SQLExp.Worm will continuously send packets to different
    IP addresses, effectively performing a Denial Of Service Attack
    on the host on which it is running, as well as the hosts to which
    it is attempting to connect.

BTW, as of this writing, I've had 733 attempts on port 1434 from
548 different hosts.  The last attempt was at 20:10. So it's still
actively spreading.

Enjoy,
    - Chuck

> Chuck Huber wrote:
> >On Sat, Jan 25, 2003 at 04:52:13PM -0500, Geoffrey wrote:
> >
> >>I'm seeing this as well at my firewall, denied of course. :)
> >>
> >>Anyone else seeing it?  Anyone have any info on it?  21 hits against my 
> >>box yesterday alone.  None yet today though.
> >
> >
> >I've got it hitting my firewall.  Thus far, I have 356 hits on the
> >cablemodem and 342 on the DSL from a total of 525 different IP addresses.
> >
> 
> The latest, most widespread virus?  Microsoft end user agreement.
> Think about it...


-- 
"The purpose of encryption is to protect good people
from bad people, not to protect bad people from the government."
     Scott McNealy, CEO Sun Microsystems
"The best way for government to control people is to remain in
   a constant threat of war." ---Karl Marx
(18 USC 242), which applies to government agents overstepping their
authority:
  "Whoever, under color of any law, statute, ordinance, regulation,
  or custom, willfully subjects any person in any State, Territory,
  or District to the deprivation of any rights, privileges, or
  immunities secured or protected by the Constitution or laws of
  the United States, . . . shall be fined under this title or
  imprisoned not more than one year, or both . . ."

 PGP signature

More information about the Ale mailing list