http://www.newsbytes.com/news/01/172321.html By Brian McWilliams, Newsbytes PHILADELPHIA, PENNSYLVANIA, U.S.A., 20 Nov 2001, 3:37 PM CST A new Internet worm that targets poorly secured systems running Microsoft's SQL Server software is on the loose but unlikely to spread widely, security experts reported today. The worm, which has not yet been named, appears to target Microsoft SQL servers which have no password on the system administrator account, according to a preliminary analysis of the code by participants on Incidents, a mailing list for tracking computer intrusions. When it finds a vulnerable system, the worm appears to install two Trojan horse programs that may be used by the worm's creator to control the server. The programs are downloaded by the worm to the victim server from an apparently compromised system registered to the Philadelphia Museum of Art. By this afternoon, the two files had been removed from the server, essentially sterilizing the worm, experts said. The worm also attempts to make a connection to an Internet relay chat server at Case Western Reserve University in Cleveland, to which it appears to send the address of the compromised machine as well as what may be a password. In addition to modifying the victim server's system registry to load the Trojan horse programs at boot-up, the worm appears to contain code that scans the Internet for other vulnerable servers on port 1433. The SQL worm's dependence on one site for obtaining files gives it a single point of failure, according to Marc Maiffret, chief hacking officer for eEye Digital Security. "It looks like it was rather poorly developed and therefore it will be rather trivial to stop this worm and track down whomever developed it," said Maiffret, who noted that the weak default password protection on Microsoft SQL Server 7.0 results in many system compromises. "I am surprised there has not been a worm that exploits this until now," he said. Microsoft officials were not immediately available for comment. Microsoft SQL Server is a relational database management system. According to Microsoft, the product is the most popular Web database, with a 68 percent market share. The Incidents list discussion of the SQL worm is at http://archives.neohapsis.com/archives/incidents/2001-11/0102.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 15:29:13 PST