WARNING VIRUS/WORM

Joined
16 Mar 2004
Messages
5,065
Reaction score
0
Country
United Kingdom
Whilst i was online in this forum an attack which was stopped by my firewall occured, the attack came from:IP: 67.174.56.109
DNS: c-67-174-56-109.client.comcast.net

More information on this attack is as follows:

The SQL Slammer worm, also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern, propagates by exploiting a buffer overflow vulnerability in the Resolution Service in Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000 installations. The main function of the Slammer worm is to continue propagation. No Distributed Denial of Service (DDoS) or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.

The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount, which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.

The Slammer worm seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory. For more information refer to Internet Security Systems Security Alert, January 25, 2003. See References.

Note: The Slammer worm may also affect Cisco CallManager version 3.3(x), Cisco Unity versions 3.x and 4.x, and Cisco Building Broadband Service Manager versions 5.0 and 5.1, which incorporate the use of either SQL Server 2000 or MSDE 2000.

Although it doesn't sound too dangerous, I would say
if this server is infected by this worm/virus then i'd advise all contributors/diy'ers to virus check their systems asap.
I felt this was a serious enough event to warrant a repeat in a post on it's own.
 
Thanks for letting us know Ken. Just did a full McAfee definitions update and system scan and luckily I'm all clear for viruses. Worth checking though as I don't run a firewall...
 
The attack happened after midnight so if you wern't online you probably got away with the attack, The thing that worries me is that it may have infected the server so anyone logging on today might get stung, again it doesn't look that serious as it is only memory resident but something more sinister may be lurking behind it so it's best to have done a virus scan anyway. I've let the DIYNOT people know about it.
 
kendor said:
I've let the DIYNOT people know about it.

1) Why did you do that? Your firewall wasn't warning you of an incoming packet from the diynot server (80.87.131.172), it was from 67.174.56.109. If you want to notify anybody, send an email to [email protected] .

2) "Although it doesn't sound too dangerous" yes it is. It doesn't do any permanent damage (e.g. loss of data), but it has the potential for a very widespread DOS (denial of service) attack.

3) There's a limited set of Microsoft products which people might be running that would make their systems at risk from infection, and there's been a security patch availabe from Microsoft for well over a year now, so if they haven't installed it then shame on them.

4) The worm is memory resident, so doesn't necessarily show up on a scan.
 
ban-all-sheds said:
kendor said:
I've let the DIYNOT people know about it.

1) Why did you do that? Your firewall wasn't warning you of an incoming packet from the diynot server (80.87.131.172), it was from 67.174.56.109. If you want to notify anybody, send an email to [email protected] .
To let them know that their server may have problems, again if you had read the info i'd posted instead of just going ahead and criticising like you do, you would have seen that it attacks servers that run on certain systems.

2) "Although it doesn't sound too dangerous" yes it is. It doesn't do any permanent damage (e.g. loss of data), but it has the potential for a very widespread DOS (denial of service) attack.
which is what i said in my post if you had read it properly again that it could propagate itself

4) The worm is memory resident, so doesn't necessarily show up on a scan.
Most good virus scanners do a memory check first! if yours doesn't then it's not worth a fart
 
Oh for heaven's sake. The only thing I "criticised" (questioned really) was the fact that you notified DIYnot about it, and I still don't understand why when your PC said "Server A has attacked me" that you thought "I'd better tell the folks running Server B that I've been attacked", but never mind. You also said "I would say if this server is infected by this worm/virus then i'd advise all contributors/diy'ers to virus check their systems asap." even though it wasn't "this server" that was sending out the dodgy packets, but never mind. And, BTW, if you properly read the description you posted, you'll see that opening a web page on a server, even an infected one, has nothing to do with whether your system becomes infected.

As for the danger, yes, the info you posted does say "The Slammer worm seeks to replicate itself", but you personally did add "Although it doesn't sound too dangerous" - all I was trying to do was to make people aware that it can be very serious - when it first emerged whole countries dropped off the internet (and lost their phone systems) because of it. You stated an opinion which I thought was incorrect; I'm never going to not post a perfectly civilly worded correction for fear that you don't want "criticism".

As for the virus scan - I agree 100% with what you say, again, all I was trying to do was to warn people not to be complacent - if their scan comes up clean it might not mean that they are clean.
 
Ban,

You seem quite knowledgeable on this, maybe you could give me some advice...

On my old PC (win 98 ) I, all the time that I had dial-up, I had no virus software at all and no problems. Then, shortly after installing BroadBand, the whole lot slowed down and started crashing. I did a quick scan with a free web-based virus checker, and (surprise) - infected (I can't recall which virus it was now). So I formatted the HD, re-installed win98, then on a friend's advice installed ZoneAlarms firewall. I found it totally user UN-friendly to the point of almost useless. No matter what I did with the settings, some websites wouldn't work at all (particularly hotmail), and it interfered with most other things. It got to the point where 90% of the time I was running with it disabled anyway!

At the end of last year, I treated myself :D to a new PC with Win XP. It came with a month's trial of Norton AntiVirus which I have upgraded to a year's subscription. It background scans all my incoming/outgoing email and does a full scan once a week. Occasionally it pops up in the bottom right corner to say that it's updating it's virus definitions. There was no way I was going to install ZoneAlarms on this machine because it's rubbish (in my opinion), and I'm told that XP has it's own firewall built in.

What's your view Ban? Am I adequately protected?
 
Norton antivirus is only protecting you from a virus attack, so you should have some kind of firewall to stop the enemy from finding ways into your machine.

The early versions of Zonealarm were a little tricky to set up and from your reference to Windows 98, I suspect that is what you have. As to being rubbish, I have to disagree, and it is certainly easier to configure/monitor than the Windows offering. It will probably give you hundreds of alerts (which you can suppress), but in my experience, most of the alerts will relate to people doing portscans.

You would be advised to install some spyware software too.

Try going to http://securityresponse.symantec.com/ and click on the 'Check for Security Risks' button. The program will portscan your PC and you can see if there are any open doors that you should close.


... and I think we're in the wrong forum. :wink:
 
Yup - we're in the wrong forum - I'll ask the murderators to move it.

1) Can't comment on the XP firewall, except the generic one that if it's built into Windoze it'll probably be sh1te.

2) Bill Gates is the Antichrist.

3) Norton V. Good, especially with auto update.

4) Bill Gates is the Antichrist.

5) I've got Zone Labs firewall - don't like it as much as the Symantec one which I had previously.

6) Bill Gates is the Antichrist.

7) Spyware an insidious menace - should definitely get s/w to deal with that, and pop-ups.

8) Bill Gates is the Antichrist.

9) CookiePal (www.kburra.com) is an excellent tool for managing acceptance/rejection of cookies.

10) Bill Gates is the Antichrist.
 
ban-all-sheds said:
Oh for heaven's sake. The only thing I "criticised" (questioned really) was the fact that you notified DIYnot about it, and I still don't understand why when your PC said "Server A has attacked me" that you thought "I'd better tell the folks running Server B that I've been attacked", but never mind. You also said "I would say if this server is infected by this worm/virus then i'd advise all contributors/diy'ers to virus check their systems asap." even though it wasn't "this server" that was sending out the dodgy packets, but never mind. And, BTW, if you properly read the description you posted, you'll see that opening a web page on a server, even an infected one, has nothing to do with whether your system becomes infected.
As for the danger, yes, the info you posted does say "The Slammer worm seeks to replicate itself", but you personally did add "Although it doesn't sound too dangerous" - all I was trying to do was to make people aware that it can be very serious - when it first emerged whole countries dropped off the internet (and lost their phone systems) because of it. You stated an opinion which I thought was incorrect; I'm never going to not post a perfectly civilly worded correction for fear that you don't want "criticism".

As for the virus scan - I agree 100% with what you say, again, all I was trying to do was to warn people not to be complacent - if their scan comes up clean it might not mean that they are clean.

You've turned what i said around i'm not saying i could get the worm from opening a webpage but if you read again it states that it propagates over servers running certain systems(Cisco etc)(i for that moment was part of that connection) and i was merely making the point that diynot may be interested to know that if my firewall detected the attack then as i was connected through the wonders of the Net that the worm may and i say MAY have found it's way onto their system and as i'm a nice chap that way i thought i'd just let them know.
Anyway now that this posting is in this section i'm sure one of the experts here will be able to put minds at rest on the subject.
 
I'm not sure what the question is now.

All internet connected PCs will be 'attacked'. Most of these probably due to portscans and pings.

Yes you can get a virus by opening a webpage. The code can be stored as an object on the page and a script can be executed when the page is loaded to your cache.

Most, if not all, good virus scanners start with a memory scan.

The attack you experienced, as previously mentioned, did not come from the DIYNOT server.
 
If you read my original post again i never once said that the attack came from the diynot forum i gave out the ip address from where it came, i merely was advising people that it MIGHT have infected their server.
I am aware of the fact that these malicious code writers are extremely devious in their art and the need for a "complete" suite of anti attack software of which i have had installed for some time : virus checker, firewall, spyware removers etc.
as i've received no reply from diynot regarding the attack i can only surmise that :
1. it wasn't a problem for them and they are fully protected against that sort of attack in which a thank you anyway reply would be nice.
2. They can't be bothered to answer, in which case next time i may not be "bothered" to inform them again.
 
Back
Top