[unisog] new virus?

James C Cotton jim.cotton at wmich.edu
Thu Feb 24 14:56:27 GMT 2005


WMU saw it, Symantec has no sig, I will forward our notes from an
admin that cleaned it.  Please look at the attackment for details...

If your infection is different we would like to know that, and how it
differs...

Jim Cotton, N8QOH            |  jim.cotton at wmich.edu
Western Michigan University  |  Phone: (269) 387-6421
Network Systems Group        |  Fax: (269) 387-5473

On Feb 23, 2005 at 16:36 -0500, BACHAND, Dave (Info. Tech. Services) wrote:

> Date: Wed, 23 Feb 2005 16:36:06 -0500
> From: "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: unisog at lists.sans.org
> Subject: [unisog] new virus?
>
> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
>
> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL
> servers.  it seems to be doing some sort of a login attempt/attack.  My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.
>
> Any ideas?
>
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
-------------- next part --------------
>From joel.fletcher at wmich.edu Thu Feb 24 09:54:59 2005
Date: Thu, 24 Feb 2005 09:52:19 -0500
From: Joel Fletcher <joel.fletcher at wmich.edu>
To: Jim Cotton <jim.cotton at wmich.edu>
Subject: FW: SQL Server Hack Info

Jim: Here's the message I wrote to Paul regarding the SQL server hack/worm.
Please
feel free to share.
 
--Joel
 

  _____  

From: Joel Fletcher [mailto:joel.fletcher at wmich.edu] 
Sent: Friday, February 18, 2005 11:05 AM
To: Paul Schneidenbach (paul.schneidenbach at wmich.edu); 'Robert Coffman'
Cc: Ron Schubot (ronald.schubot at wmich.edu); Joan E. O'Bryan
(joan.obryan at wmich.edu)
Subject: SQL Server Hack Info


Paul:
 
Here's what we were able to determine about the SQL server worm. As of now,
I'm
not aware that it's been identified by any of the AV companies. Please share
with client systems as you feel appropriate:
 
Identification:
 
    Open Task Manager. Look for a process called hpws.exe. This is the worm
    If you set the view options to include threads, you'll probably see
hundreds
    of threads spawned by this task. It probably cannot be killed through
Task
    Manager, even by Administrator. The process is owned by SYSTEM.
 
Killing the worm: 
 
    We downloaded Process Explorer from Sysinternals.com.
    It's a free tool for exploring lots of things through the process trees.
We were
    able to kill the process with this tool. Interestingly, hpws,exe turns
out to
    be a subprocess of a CMD.EXE process.
 
Removal: 
 
    Delete or rename %windows%\system32\hpws.exe. There are lots
    of references to this file in the Registry for auto restart. Do not
bother trying
    to delete these until after you've killed the process itself. It
continuously updates
    the registry entries.
 
Protection: 
 
    The network traffic being generated by this worm is consistent with a
dictionary-
    based, or possibly brute-force password attack. Make certain that all
your SQL
    Server passwords are "strong"; that is, non-dictionary words, mixed
letters,
    numbers, and punctuation. This is especially true for SA and other
privileged
    accounts.
    
Exceptions: 
 
    Since I've only fixed one of these, it the worm may randomize its
    name or other attributes. I have found that the other freebie tools on
SysInternals
    were also helpful in tracking down this worm, especially TCPview and
TDImon,
    although Regmon may also be useful.
 
Prevention:
 
    The best advice I can give is as follows:
        1. Make strong passwords.
        2. Minimize the number of privileged accounts on your system.
        3. Make sure all your patches are up-to-date, including Windows, SQL
Server,
            and AV.
        4. Limit access with by installing hardware or software firewall.
 
    If you have a system that has been hit by this worm, Please let me know
whether you
    were able to fix your system with these steps, or if you have more
information to add.
 
 
 
-----------------------------------
Joel M. Fletcher
Director, Systems and Operations
Western Michigan University
Office of Information Technology
Kalamazoo, MI  49008
 
joel.fletcher at wmich.edu
269.387.0916
 
 


More information about the unisog mailing list