MySQL Worm Halted

KingFish

A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.

More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines. The program did not spread on its own, but downloaded targets from several Internet relay chat (IRC) servers. Those several have been made inaccessible, virtually stopping the worm, said Oliver Friedrichs, senior manager for incident response at security technology maker Symantec.

"We are just seeing residual infections," Friedrichs said. "The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread."

The worm started infecting systems on Tuesday, according to Symantec's network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: Technically, it's not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec's catalog holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

Source: c|net

csimon

awesome work ...I was just reading about the infection yesterday and was wondering how long it would take to nip this one. Apparantly not long at all!