The 2003 Worm King "(worm.netkiller2003), whose harm far outweighs the once rampant red code virus.
Network bandwidth is heavily occupied after the worm is infected, resulting in network paralysis, which exploits the buffer overflow vulnerability of SQL SERVER 2000, which resolves port 1434, to attack its network. As the "2003 Worm King" has a strong ability to spread, now in Asia, the Americas, Australia and other rapid spread, has caused a global network disaster. Due to the weekend, January 25, the consequences of the first manifestation of the paralysis of the public Internet, is expected to continue to spread rapidly in the next few days.
Small series recommends that you use 360 free anti-virus to kill, and then according to the killing situation to carry out corresponding measures. Worm Propagation Process
The 2003 worm is a very rare worm with extremely short viral mass and extremely strong transmission. The worm uses a Microsoft SQL Server 2000 Buffer Overflow vulnerability to propagate, and the detailed propagation process is as follows:
The virus invaded the unprotected machine, obtained three WIN32 API address, GetTickCount, socket, sendto, then the virus used GetTickCount to obtain a random number, into a dead loop continue to spread. In this loop, the worm generates a random IP address using the random number obtained, and then sends its own code to port 1434 (Microsoft SQL Server open port), which travels very quickly, sending its own code using broadcast packets. All 255 of the possible machines may exist in each attack subnet. The vulnerable machine type is an NT-series server with Microsoft SQL Server 2000 installed, including WINNT/WIN2000/WINXP, and so on. Fortunately, the worm did not infect or spread the file form of the virus, simply spread in memory. There are strings "H.dllhel32hkernqhounthickchget", "Qh32.dhws2_f", "Etqhsockf", "Toqhsend" in the virus body. The security vulnerabilities exploited by the virus were discovered in July 2002 and are corrected in the subsequent Ms SQL Server2000 patch package.
The characteristics of worm virus
The worm attacks an NT-series server with Microsoft SQL that attempts to detect the 1434/UDP port of the attacked machine and sends 376 bytes of worm code if the probe succeeds. The 1434/UDP port is a Microsoft SQL open port. The port has a buffer overflow vulnerability on a patched SQL Server platform that allows subsequent code for the Worm to machine
will run further on the attacked machine.
The worm invades the MS SQL Server system and runs on the MS SQL Server 2000 main program sqlservr.exe application process space, while MS SQL Server 2000 has the highest level of system permissions, and the worm also obtains system level permissions. Attacked systems: Systems with no MS SQL Server2000 SP3 installed
And since the worm does not determine whether it has penetrated the system, the worm's damage is obvious, and a non-stop attempt to invade will result in a denial-of-service attack, which could cause the attack machine to stop service paralysis.
The worm was attacked by a buffer overflow vulnerability in the sqlsort.dll of the attacked machine, gaining control. The GetTickCount functions and socket and SendTo function addresses are then obtained from KERNEL32 and Ws2_32.dll respectively. It then calls the GetTickCount function, uses its return value to produce a random number of seeds and uses the seed to produce an IP address as the object of the attack; then creates a UDP socket that sends its own code to the 1434 port of the target attacked machine, then into an infinite loop, Repeat the above generated random number to compute IP address, launch attack a series of actions.
How to solve the worm virus after infection
It is recommended that all users running Microsoft SQL Server 2000 and recently discovering network access exceptions follow these solutions:
1. To block the external and internal udp/1434 port access.
If this step is difficult to implement, you can use a boundary firewall or a TCP-IP filter on the router or the system to block access to the native udp/1434 port.
2, find the infected host
Checking on a border router (or firewall) can also enable network monitors (such as sniffer Pro) to check to find hosts in the network that send large amounts of data to udp/1434 on destination ports, which are most likely infected with the worm.
If you are unsure, all machines running Microsoft SQL Server 2000 without patches are considered infected machines.
You can scan the udp/1434 port using the port scanner to locate the host running Microsoft SQL Server 2000, but because the UDP port scan is not accurate, you can scan the tcp/1433 port to locate the host running SQL Server. It should be noted, however, that only SQL Server 2000 is infected by this worm.
3, unplug the infected host network cable.
4. Reboot all infected machines to clear the worm in memory. Shut down the SQL Server service to prevent infection by the worm again.
5, plugged in the infected machine network cable
Note: If, for some reason, you are unable to download patches from the network for installation, you can install patches on other uninfected hosts, burn them on CD-ROM, or save them on other removable media, and then go to the infected host for installation.