I posted this a few weeks back on the MISC. forum, but with the new forum edition it belongs here.
There is a nasty BackDoor Worm out there that has serveral versions.
There is not a great deal of information out there on it, so here is what I have. C:\WINNT\System32\wrm.exe -start is the most common location on you Win2k system. It runs as a service with the title, "SQL Service Agent" as opposed to "SQLSERVERAGENT" which runs out from MSSQL\binn\sqlagent.exe
This little program provides unseen Telnet services. You may see this on some sites as Wollf.14. One of the five versions. Wollf.12 to Wollf.16
If you find it, disable the service in the registry, by changing the start value to 4. This disables the service. Do this first, because you may find your attempts to stop the service result in a timeout.
You should find it in: HKLM\SYSTEM\Controlset001\services\sqlsa
You will note the image path:SQL Service Agent
Put a "notation mark in the value of the image path. Delete this and remove it from the Recycle bin too.
I would then keep an eye on the login attempts.
I know someone will ask, so here you go. The machine was behind a nat hardware firewall. The machine is well patched. But a different Virus definition revealed it.
One of the sites I found this morning, stated the origin as China.
Curt Spanburgh Microsoft Certified Business Solution Specialist. Dynamics CRM MVP Contributing Editor, Windows IT Pro
He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly. Proverbs 13:20
a bible quote of after a tech analysis nice lol.. an xp machine with wrm.exe keeps writing to the registry at hkey-software-user\software\ icrosoft\search assistant\acmru\5601 ..02,03,04 .. dont know whats doing this i delete acmru and the "tips" container om acmru and still comes back.. no sql containers on here ..