On Thu, 27 Jan 2005 11:51:08 -0500 (EST), [EMAIL PROTECTED] > Message: 8 > Date: Thu, 27 Jan 2005 00:18:21 -0500 > From: Mike Bailey <[EMAIL PROTECTED]> > Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed > via mysql vulnerability? > To: [email protected] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII > > Aloha, > > Earlier tonight, i was sitting here at home doing some normal > browsing, and work and my firewall alerted me that a program called > spoolcll.exe was attempting to open up a port which i cannot remember > now. > > i tried killing it, but it just came back, over and over again each > time spawning itselfs on a new port. > > Registry says the worm created a service called "evmon", it cannot be > paused or stopped, but it can be disabled. > > The only information about this worm on google is a discussion at the > following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1 > they are beginning to determinthat it is being distributed via a hole > in mysql. > > Do any of you know anything about this? Thanks in advance. > > -- > Love, > Mike Bailey > > ------------------------------
It's a sort of new worm looking for MySQL weak root passwords. You get more info at Sans: http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b Boot in Safe Mode and delete that file. Then reboot. Of course, change your admin pass and firewall tcp port 3306. -- Saludos/Regards Luisma ------------------------------------------------------------- Chaos reigns within. Reflect, repent, and reboot. Order shall return. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
