Network Security: Detailed info on RE: [Full-Disclosure] spoolcll.exe

Subject:	RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?
Date:	Thu, 27 Jan 2005 11:47:57 -0600

From the article text:


"The bot uses the "MySQL UDF Dynamic Library Exploit". In order to
launch the exploit, the bot first has to authenticate to mysql as 'root'
user. A long list of passwords is included with the bot, and the bot
will brute force the password."

Looks like this is small part exploit, and large part bad root password
selection. Though I'm not even sure about the exploit part because the
text later says:

"This bot does not use any vulnerability in mysql. The fundamental
weakness it uses is a week[sic] 'root' account."


Patrick Dolan
Information Security Analyst
 
 

-----Original Message-----
From: Jeremy Davis [mailto:jdaytona@gmail.com] 
Sent: Thursday, January 27, 2005 11:23 AM
To: Mike Bailey
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed
viamysql vulnerability?

Check out todays diary at SANS.
http://isc.sans.org/


On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <worried@gmail.com>
wrote:

Aloha,

Earlier tonight, i was sitting here at home doing some normal 
browsing, and work and my firewall alerted me that a program called 
spoolcll.exe was attempting to open up a port which i cannot remember 
now.

i tried killing it, but it just came back, over and over again each 
time spawning itselfs on a new port.

Registry says the worm created a service called "evmon", it cannot be 
paused or stopped, but it can be disabled.

The only information about this worm on google is a discussion at the 
following url: 
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
they are beginning to determinthat it is being distributed via a hole 
in mysql.

Do any of you know anything about this? Thanks in advance.

--
Love,
Mike Bailey
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





Disclaimer:
This electronic message, including any attachments, is confidential and 
intended solely for use of the intended recipient(s). This message may contain 
information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction 
is strictly prohibited. If you have received this message in error, please 
delete it and notify the sender immediately. 




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

<Prev in Thread]	Current Thread	[Next in Thread>
RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?, Dolan, Patrick <= Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?, Jeremy Davis

Previous by Date:	Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?, stephane nasdrovisky
Next by Date:	Re: [Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy, Brad Spengler
Previous by Thread:	[Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy, Brad Spengler
Next by Thread:	Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?, Jeremy Davis
Indexes:	[Date] [Thread] [Top] [All Lists]

RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql