Did not get hit with this ourselves do not run SQL Server but another local business did that a friend of mine has. Just wanted to advise you all on this since the fix is simple.
The worm was detected on today at 05:30 GMT. After that it has been detected from various countries around the world. The worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. As many as 5 of the 13 internet root nameservers have been down because of this during Saturday the 25th. This worm does not infect end user machines at all: it only infects Windows 2000 servers running Microsoft SQL Server. End users might only notice this worm because of network slugginess. This worm is not a massmailer: it does not send any e-mails. The worm only spreads as an in-memory process: it never writes itself to the hard drive. In this sense it is similar to the Code Red from July 2001. The worm uses TCP and UDP port 1434 to exploit a buffer overflow in MS SQL server. Close down these ports on your firewall unless you really need to have your SQL servers visible to the world. As the worm does not infect any files, an infected machine can be cleaned by simply rebooting the machine. However, it will soon get reinfected if the machine is connected to the network without applying SP2 or SP3 patches for MS SQL Server. For patch information, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-039.asp To remove this worm you must first apply the following patch from Microsoft: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602 Find additional info at: http://www.eeye.com/html/Research/Flash/AL20030125.html http://library.northernlight.com/EA20030125430000018.html?cb=200&dx=2006&sc= 0#doc Stephen Breen Email: [EMAIL PROTECTED] [EMAIL PROTECTED]
