As reported on the Internet Storm Center site (http://isc.incidents.org) at
"bot" is traversing the Internet infecting MySQL servers installed on
Windows systems. Check out the description below:

"A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
spotted. It infected a few thousand systems so far. Like typical for bots,
infected systems will connect to an IRC server. The IRC server will instruct
them to scan various /8 networks for other vulnerable mysql servers."

So if you have MySQL servers check out your firewall logs for the following
activity:

* Outbound activity to IPs: 212.105.105.214, 63.64.164.91, 63.149.6.91;
these are dynamic DNS IPs so they'll likely change with their domain names
(dummylandingzone.dns2go.com, dummylandingzone.hn.org,
dummylandingzone.dynu.com, zmoker.dns2go.com,
landingzone.dynu.com, landingzone.ath.cx, dummylandingzone.ipupdater.com)

* Outbound connection attempts on port 5002 and 5003

* Look for FTP servers popping up out of nowhere - bot creates one - scan
network for these

* Scan network for 2301 and 2304 - backdoors setup by bot; there may be
other ports