As reported on the Internet Storm Center site ( at
"bot" is traversing the Internet infecting MySQL servers installed on
Windows systems. Check out the description below:

"A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
spotted. It infected a few thousand systems so far. Like typical for bots,
infected systems will connect to an IRC server. The IRC server will instruct
them to scan various /8 networks for other vulnerable mysql servers."

So if you have MySQL servers check out your firewall logs for the following

* Outbound activity to IPs:,,;
these are dynamic DNS IPs so they'll likely change with their domain names

* Outbound connection attempts on port 5002 and 5003

* Look for FTP servers popping up out of nowhere - bot creates one - scan
network for these

* Scan network for 2301 and 2304 - backdoors setup by bot; there may be
other ports