New MySQL Internet Worm - Spoolcll.exe - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

New MySQL Internet Worm - Spoolcll.exe

Analysis is underway by security and AV firms, as this is early information. The key protective measure is to lock down port 3306:

New MySQL Internet Worm - Spoolcll.exe
http://isc.sans.org//diary.php?date=2005-01-26
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=3

We have reports about a possible MySQL worm. Right now, it appears to be hunting for Windows systems running MySQL. We have no deteails so far, and would creatly appreciate input (in particular code samples). We do observe a significant rise in port 3306 scanning, which is likely caused by infected systems. The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.

You should not expose any MySQL servers to unsolicitated connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.

Posted: Jan 27 2005, 06:37 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.