MSDE-related virus

[Dan]

I'm having a problem with a workstation equipped with WinXP Pro SP1 + latest
patches, Norton AV 2003, Norton Internet Security 2003, MSDE SP3: this
workstation is a development machine and uses some local databases via its
MSDE engine; whenever I create an application which accesses a database
(using Visual Studio .NET 2003), Internet Security intercepts a couple of
attempts to connect to a remote computer at 66.220.17.46:1434 (port 3074) or
other IP's probably located in California. As the program blocked is mine, I
am of course sure that the program would never do such a thing, so I must
think of some sort of virus affecting the MSDE data server.
I have run a full virus scan with Norton and some anti-spy and anti-trojan
software (e.g. Trojan Remover, Adaware) and they did not find anything bad.
Could anyone give a hint about this problem?

Thanx to all!

 

[Nick FitzGerald]

I'm having a problem with a workstation equipped with WinXP Pro SP1 + latest
patches, Norton AV 2003, Norton Internet Security 2003, MSDE SP3: this
workstation is a development machine and uses some local databases via its
MSDE engine; whenever I create an application which accesses a database
(using Visual Studio .NET 2003), Internet Security intercepts a couple of
attempts to connect to a remote computer at 66.220.17.46:1434 (port 3074) or
other IP's probably located in California. As the program blocked is mine, I
am of course sure that the program would never do such a thing, so I must
think of some sort of virus affecting the MSDE data server.
I have run a full virus scan with Norton and some anti-spy and anti-trojan
software (e.g. Trojan Remover, Adaware) and they did not find anything bad.
Could anyone give a hint about this problem?

If this test database is only for local testing (i.e. "local from this machine"
not "from the local area network") then why the heck have you accepted MS'
incredibly braindead default of binding the horribly insecure MS SQL Server (in
its slightly stripped down MSDE form) to every TCP/IP interface available?

Bind the database server to _only_ localhost.

(As for the outgoing port 1434 connection -- I've often noticed the admin server
try to probe the whole local sub-net on a test network that is entirely isolated
from the Internet to locate other SQL Servers so I guess what you are seeing may
be realted to this. Why a non-local address though??)

 

[David H. Lipman]

That was Slammer.

Dave

|
| > I'm having a problem with a workstation equipped with WinXP Pro SP1 + latest
| > patches, Norton AV 2003, Norton Internet Security 2003, MSDE SP3: this
| > workstation is a development machine and uses some local databases via its
| > MSDE engine; whenever I create an application which accesses a database
| > (using Visual Studio .NET 2003), Internet Security intercepts a couple of
| > attempts to connect to a remote computer at 66.220.17.46:1434 (port 3074) or
| > other IP's probably located in California. As the program blocked is mine, I
| > am of course sure that the program would never do such a thing, so I must
| > think of some sort of virus affecting the MSDE data server.
| > I have run a full virus scan with Norton and some anti-spy and anti-trojan
| > software (e.g. Trojan Remover, Adaware) and they did not find anything bad.
| > Could anyone give a hint about this problem?
|
| If this test database is only for local testing (i.e. "local from this machine"
| not "from the local area network") then why the heck have you accepted MS'
| incredibly braindead default of binding the horribly insecure MS SQL Server (in
| its slightly stripped down MSDE form) to every TCP/IP interface available?
|
| Bind the database server to _only_ localhost.
|
| (As for the outgoing port 1434 connection -- I've often noticed the admin
server
| try to probe the whole local sub-net on a test network that is entirely
isolated
| from the Internet to locate other SQL Servers so I guess what you are seeing
may
| be realted to this. Why a non-local address though??)
|
|
| --
| Nick FitzGerald
|
|

 

[Dan]

Thanks to both! As for the previous question, the project being developed
hosts a database in one workstation but it is accessed by some other clients
apps in the LAN, so I can't limit the access to local server. Anyway, if it
is Slammer I should be able to remove it (?): I have tried three Slammer
removal tools: Symantec, BitDefender and McAfee. The first does not even try
to find and remove the virus telling me that no system component is
vulnerable to Slammer (OK, but this was not so before applying patches...);
BitDefender performs a memory scan but finds nothing (I have also launched
the affected application to be sure that the malicious code would be
loaded); McAfee performs a drive scan, but finds nothing too.
I'll give a try with other AV software (e.g. Panda), but this seems odd...

 

[David H. Lipman]

What McAfee "tool" and version did you use to seek Slammer ?

Dave

| Thanks to both! As for the previous question, the project being developed
| hosts a database in one workstation but it is accessed by some other clients
| apps in the LAN, so I can't limit the access to local server. Anyway, if it
| is Slammer I should be able to remove it (?): I have tried three Slammer
| removal tools: Symantec, BitDefender and McAfee. The first does not even try
| to find and remove the virus telling me that no system component is
| vulnerable to Slammer (OK, but this was not so before applying patches...);
| BitDefender performs a memory scan but finds nothing (I have also launched
| the affected application to be sure that the malicious code would be
| loaded); McAfee performs a drive scan, but finds nothing too.
| I'll give a try with other AV software (e.g. Panda), but this seems odd...
|
|

 

[Dan]

I used the removal tool STINGER from AVERT v.1.7.9 (just downloaded): made a
full C: drive scan but no results. In the meanwhile, I have also performed a
full computer scan via web from Panda AV site, no result again. Any idea?

 

[David H. Lipman]

Wel it aint Slammer then...

No ideas.

Dave

| I used the removal tool STINGER from AVERT v.1.7.9 (just downloaded): made a
| full C: drive scan but no results. In the meanwhile, I have also performed a
| full computer scan via web from Panda AV site, no result again. Any idea?
|
| | > What McAfee "tool" and version did you use to seek Slammer ?
| >
| > Dave
|
|

 

[Nick FitzGerald]

That was Slammer.

No.

The OP said that he intercepted "a couple of attempts to connect to a remote
computer at <outside_IP>:1434 (port 3074) or other IP's ...".

That would _NOT_ be slammer.

If he detected several thousand such attempts per minute, then Slammer would
be a distinct possibility, but unless this machine is an absolute slug on
100Gbit or faster network pipe, the OP would have noticed chronic network
congestion within a few seconds of detecting the first "stray" outgoing port
1434 probe...

_THAT_ is what Slammer did that most people noticed first (second, third...).