Wormguard vs. W32.SQLExp.Worm

Discussion in 'WormGuard' started by I_lack_commonsense, Jan 26, 2003.

Thread Status:
Not open for further replies.
  1. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
    With so much made about this worm lately, I was rather curious to know how wormguard would have responded? Would it have just been business as usual...
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :( Hi ILC,
    I believe that the SQL worm is memory only so I doubt WG would see it, AV's & AT's that rely on database sigs only would also probably fail.
    Switching your computer off & on again would probably kill it though :D
    TDS3 probably catches it as it uses many methods of seeing worms & Trojans
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Use in TDS the Network > TCP Port Listen (with fw up of course) and see what the packets are, if you're targetted.
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Wormguard (and most other antivirus products) are not designed to protect against threats like this SQL worm. Depeding on the definition I personally would not call this a worm. It is in my opinion more an automated hac attack than what we usally call a worm, e.g. Badtrans or Klez.

    The best protection against this kind of threats is simply to keep regulary updating the software which could be (theoretically) be attacked (you can find this kind of server programs while checking for 'open ports').

    wizard
     
  5. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
    I agree it does sound a lot more like some kind of exploit of SQL server rather than a worm, but none the less I am still a little surprised that WG would not pick up something less this, (nothing against WG) considering W32.SQL is only one of a very few types of these "worms" (as I understand) that have pure memory properties. So would a scanning for these types of worms be warranted for say WG4? Or would it be more trouble than it is worth. Thank you again for the replys.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, this worm is 100% memory-resident only. As soon as you reboot your computer you're disinfected (but still vulnerable to re-infection). The worm can only infect your system if you're running a vulnerable version of Microsoft's SQL server, but a patch for this vulnerability was released by Microsoft a long time ago.

    Wormguard protects against files as you execute them, but doesn't protect against buffer overflows caused by incoming internet data (but then, no other program I know of does either!)
     
Thread Status:
Not open for further replies.