Worm currently exploiting MySQL on Windows ⇒ News ⇒ CPG Dragonfly™ CMS
UNIRAS (UK Gov CERT) Advisory Type: Alert Id: 20050128-00078 Ref: 09/2005 Date: 28 January 2005 Time: 09:10 Abstract: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". Vendors affected: Microsoft Operating Systems affected: Windows Applications/Services affected: MySQL Impact: Denial of service
Detail ====== The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". AL-2005.002 -- AUSCERT ALERT New worm currently exploiting MySQL on Windows 28 January 2005 Product: MySQL Operating System: Windows Impact: Administrator Compromise Distributed Denial of Service Access: Remote/Unauthenticated SUMMARY: AusCERT has become aware of a new worm currently exploiting MySQL on Windows systems. The worm infects systems using an automated attack on weak passwords for the MySQL "root" account. MySQL administrators are encouraged to apply the mitigation steps below as soon as possible to prevent infection. Non-Windows MySQL systems are not targeted by this worm, but are vulnerable to the same attack if MySQL is running as root. IMPACT: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". spoolcll.exe connects to one of several IRC servers to receive instructions for further action. It also sets up three listening ports which we have observed to be on UDP port 69 and TCP ports 2314 and 2311, though these ports can vary. The trojan can be commanded to launch distributed denial of service attacks, remotely control the infected host, scan blocks of IP addresses and infect further vulnerable systems. The malicious executable installed by this worm is detected by several antivirus products as a variant of Wootbot. MITIGATION: o Change to a stronger password for MySQL's "root" account. o Configure MySQL to only accept "root" account connections from the local host. These two steps can be implemented using the MySQL 4.1 Server Instance Configuration Wizard. Under "Modify Security Settings", input a strong password and also select "Root may only connect from localhost". o Run MySQL as an unprivileged user. This is possible under Windows with MySQL 4.0.17 and higher, and MySQL 4.1.2 and higher. o Block connections from the internet to MySQL by adding a firewall rule blocking inbound traffic to port 3306. REFERENCES:  SANS Handler's Diary January 27 2005 http://isc.sans.org/diary.php?date=2005-01-27
Another Window's worm-- why does this not surprise me?
Note: The infector (worm) is detected as "WOOTBOT". This is a know rootkit infector.
Average Score: 5
Please take a second and vote for this article:
· Solve https://dragonflycms.org/Forums/viewtopic/t=25694.html
· Bugfix: Admin -> Blocks -> Block -> Save: Unknown column 'toggleid' in 'field list'
· Cleanup: viewforum topics array builder
· Bugfix: session failed with dynamic IP
· Bugfix: remove <marquee>, use CSS Finalize: block cssid https://dragonflycms.org/Forums/viewtopic/t=25692.html
· Added: block cssid https://dragonflycms.org/Forums/viewtopic/t=25692.html
· Bugfix: Account registration failed
· Bugfix: first compress data, then encrypt. As compression does not work on encrypted data.
· Bugfix: revamp of TPL parser failed to check context attributes