On Thu, 27 Jan 2005 11:51:08 -0500 (EST),
full-disclosure-request@lists.netsys.com
Message: 8
Date: Thu, 27 Jan 2005 00:18:21 -0500
From: Mike Bailey <worried@gmail.com>
Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed
via mysql vulnerability?
To: full-disclosure@lists.netsys.com
Message-ID: <a50eeaa105012621182064e7a9@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII
Aloha,
Earlier tonight, i was sitting here at home doing some normal
browsing, and work and my firewall alerted me that a program called
spoolcll.exe was attempting to open up a port which i cannot remember
now.
i tried killing it, but it just came back, over and over again each
time spawning itselfs on a new port.
Registry says the worm created a service called "evmon", it cannot be
paused or stopped, but it can be disabled.
The only information about this worm on google is a discussion at the
following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
they are beginning to determinthat it is being distributed via a hole
in mysql.
Do any of you know anything about this? Thanks in advance.
--
Love,
Mike Bailey
------------------------------
It's a sort of new worm looking for MySQL weak root passwords. You get
more info at Sans:
http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b
Boot in Safe Mode and delete that file. Then reboot. Of course, change
your admin pass and firewall tcp port 3306.
--
Saludos/Regards
Luisma
-------------------------------------------------------------
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
