North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Does the Worm have another Payload besides 1434 Floods?

  • From: Stewart, William C (Bill), SALES
  • Date: Sat Jan 25 17:33:42 2003

So the worm is sending out tons of UDP1434 packets 
that let it break into MS-SQL servers and reproduce,
and that's certainly annoying because of the traffic floods.
But is it carrying anything else that will do more damage,
or anything that leaves it a security hole to be exploited later?
It would be really annoying if machines that aren't cleaned up
later reformat themselves or hang out waiting for further instructions.

Also, several people have commented that restarting their 
MS-SQL servers stops the problem.  Does it just stop the flooding,
but leave code there, or does the worm strictly live in
transitory data space that's really gone after a restart.

Several people have talked about bursts of ICMP or 6667 traffic,
and those are probably unrelated, but maybe not.
(What?  More than one cracker on the net or more than one 
program that chokes when overloaded?   Who'd'a' thunk it!)