[unisog] new virus?
James C Cotton
jim.cotton at wmich.edu
Thu Feb 24 14:56:27 GMT 2005
WMU saw it, Symantec has no sig, I will forward our notes from an
admin that cleaned it. Please look at the attackment for details...
If your infection is different we would like to know that, and how it
Jim Cotton, N8QOH | jim.cotton at wmich.edu
Western Michigan University | Phone: (269) 387-6421
Network Systems Group | Fax: (269) 387-5473
On Feb 23, 2005 at 16:36 -0500, BACHAND, Dave (Info. Tech. Services) wrote:
> Date: Wed, 23 Feb 2005 16:36:06 -0500
> From: "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: unisog at lists.sans.org
> Subject: [unisog] new virus?
> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
> McAfee shows it as being an SDBOT variant. But, it only attacks SQL
> servers. it seems to be doing some sort of a login attempt/attack. My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.
> Any ideas?
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> unisog mailing list
> unisog at lists.sans.org
-------------- next part --------------
>From joel.fletcher at wmich.edu Thu Feb 24 09:54:59 2005
Date: Thu, 24 Feb 2005 09:52:19 -0500
From: Joel Fletcher <joel.fletcher at wmich.edu>
To: Jim Cotton <jim.cotton at wmich.edu>
Subject: FW: SQL Server Hack Info
Jim: Here's the message I wrote to Paul regarding the SQL server hack/worm.
feel free to share.
From: Joel Fletcher [mailto:joel.fletcher at wmich.edu]
Sent: Friday, February 18, 2005 11:05 AM
To: Paul Schneidenbach (paul.schneidenbach at wmich.edu); 'Robert Coffman'
Cc: Ron Schubot (ronald.schubot at wmich.edu); Joan E. O'Bryan
(joan.obryan at wmich.edu)
Subject: SQL Server Hack Info
Here's what we were able to determine about the SQL server worm. As of now,
not aware that it's been identified by any of the AV companies. Please share
with client systems as you feel appropriate:
Open Task Manager. Look for a process called hpws.exe. This is the worm
If you set the view options to include threads, you'll probably see
of threads spawned by this task. It probably cannot be killed through
Manager, even by Administrator. The process is owned by SYSTEM.
Killing the worm:
We downloaded Process Explorer from Sysinternals.com.
It's a free tool for exploring lots of things through the process trees.
able to kill the process with this tool. Interestingly, hpws,exe turns
be a subprocess of a CMD.EXE process.
Delete or rename %windows%\system32\hpws.exe. There are lots
of references to this file in the Registry for auto restart. Do not
to delete these until after you've killed the process itself. It
the registry entries.
The network traffic being generated by this worm is consistent with a
based, or possibly brute-force password attack. Make certain that all
Server passwords are "strong"; that is, non-dictionary words, mixed
numbers, and punctuation. This is especially true for SA and other
Since I've only fixed one of these, it the worm may randomize its
name or other attributes. I have found that the other freebie tools on
were also helpful in tracking down this worm, especially TCPview and
although Regmon may also be useful.
The best advice I can give is as follows:
1. Make strong passwords.
2. Minimize the number of privileged accounts on your system.
3. Make sure all your patches are up-to-date, including Windows, SQL
4. Limit access with by installing hardware or software firewall.
If you have a system that has been hit by this worm, Please let me know
were able to fix your system with these steps, or if you have more
information to add.
Joel M. Fletcher
Director, Systems and Operations
Western Michigan University
Office of Information Technology
Kalamazoo, MI 49008
joel.fletcher at wmich.edu
More information about the unisog