[unisog] new virus?

James C Cotton jim.cotton at wmich.edu
Thu Feb 24 14:56:27 GMT 2005

WMU saw it, Symantec has no sig, I will forward our notes from an
admin that cleaned it.  Please look at the attackment for details...

If your infection is different we would like to know that, and how it

Jim Cotton, N8QOH            |  jim.cotton at wmich.edu
Western Michigan University  |  Phone: (269) 387-6421
Network Systems Group        |  Fax: (269) 387-5473

On Feb 23, 2005 at 16:36 -0500, BACHAND, Dave (Info. Tech. Services) wrote:

> Date: Wed, 23 Feb 2005 16:36:06 -0500
> From: "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: unisog at lists.sans.org
> Subject: [unisog] new virus?
> We've recently had a minor outbreak (if there is such a thing) of a
> virus that I'm having a hard to putting my finger on.
> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL
> servers.  it seems to be doing some sort of a login attempt/attack.  My
> SQL sysadmin swears that the SA password wasn't blank, and there were no
> SQL patches missing.
> Any ideas?
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
>From joel.fletcher at wmich.edu Thu Feb 24 09:54:59 2005
Date: Thu, 24 Feb 2005 09:52:19 -0500
From: Joel Fletcher <joel.fletcher at wmich.edu>
To: Jim Cotton <jim.cotton at wmich.edu>
Subject: FW: SQL Server Hack Info

Jim: Here's the message I wrote to Paul regarding the SQL server hack/worm.
feel free to share.


From: Joel Fletcher [mailto:joel.fletcher at wmich.edu] 
Sent: Friday, February 18, 2005 11:05 AM
To: Paul Schneidenbach (paul.schneidenbach at wmich.edu); 'Robert Coffman'
Cc: Ron Schubot (ronald.schubot at wmich.edu); Joan E. O'Bryan
(joan.obryan at wmich.edu)
Subject: SQL Server Hack Info

Here's what we were able to determine about the SQL server worm. As of now,
not aware that it's been identified by any of the AV companies. Please share
with client systems as you feel appropriate:
    Open Task Manager. Look for a process called hpws.exe. This is the worm
    If you set the view options to include threads, you'll probably see
    of threads spawned by this task. It probably cannot be killed through
    Manager, even by Administrator. The process is owned by SYSTEM.
Killing the worm: 
    We downloaded Process Explorer from Sysinternals.com.
    It's a free tool for exploring lots of things through the process trees.
We were
    able to kill the process with this tool. Interestingly, hpws,exe turns
out to
    be a subprocess of a CMD.EXE process.
    Delete or rename %windows%\system32\hpws.exe. There are lots
    of references to this file in the Registry for auto restart. Do not
bother trying
    to delete these until after you've killed the process itself. It
continuously updates
    the registry entries.
    The network traffic being generated by this worm is consistent with a
    based, or possibly brute-force password attack. Make certain that all
your SQL
    Server passwords are "strong"; that is, non-dictionary words, mixed
    numbers, and punctuation. This is especially true for SA and other
    Since I've only fixed one of these, it the worm may randomize its
    name or other attributes. I have found that the other freebie tools on
    were also helpful in tracking down this worm, especially TCPview and
    although Regmon may also be useful.
    The best advice I can give is as follows:
        1. Make strong passwords.
        2. Minimize the number of privileged accounts on your system.
        3. Make sure all your patches are up-to-date, including Windows, SQL
            and AV.
        4. Limit access with by installing hardware or software firewall.
    If you have a system that has been hit by this worm, Please let me know
whether you
    were able to fix your system with these steps, or if you have more
information to add.
Joel M. Fletcher
Director, Systems and Operations
Western Michigan University
Office of Information Technology
Kalamazoo, MI  49008
joel.fletcher at wmich.edu

More information about the unisog mailing list