A new variant may be worming is way towards SQL server ports, according to a warning from the SANS Institute

A new variant of the Phatbot worm may be on the loose and attempting to attack SQL Server ports, according to a warning that the SANS Institute issued on Monday.

Last month, Phatbot made the rounds, attacking Windows systems by acting as a Trojan horse. Phatbot would then link infected computers into an underground network for sending spam or launching other attacks. SANS is currently in the process of attempting to capture a full packet of data -- or an executable file -- for further analysis of Phatbot.

The worm probes Transmission Control Protocol ports 2745, 1025, 3127, 6129, 5000, 80 and 1433, as well as Microsoft's NetBIOS, according to the SANS report.

"There has also been conjecture that the port 1981 increase is potentially also connected to another variant of Phatbot," SANS noted in its handler's diary.

Phatbot relies on "peer to peer" technology, which makes it more difficult to eliminate, because there is no central command centre for its network.

"The Phatbot has been morphing and changing daily," said Marcus Sachs, director of SANS Internet Storm Centre. "We're conjecturing that this is another version of Phatbot."

Microsoft, meanwhile, said it has not received any new reports of the Phatbot worm, a company representative said.

Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.