Phatbot Worm May Be Attacking SQL Server Ports

A new variant of the Phatbot worm appears to be loose on the Internet, attacking SQL Server ports, the SANS Institute reported Monday.

Phatbot, which first appeared on the Internet last month, is planted on a Windows system and controlled by attackers through peer-to-peer file-sharing technology. Once installed on vulnerable systems, the worm has the capability to change itself to avoid and shut down anti-virus software, steal Windows software license keys, lift user names and passwords, and kill other worms and viruses.

The new variant probes transmission control protocol (TCP) ports 2745, 1025, 3127, 6129, 5000, 80 and 1433, as well as Microsoft's NetBIOS, the SANS Institute said in its warning. The malware apparently tries "to break SQL Server ports as well as the other vulnerabilities already exploited."

SANS, a security research and education group, is attempting to capture an executable file for the Phatbot variant for further analysis.