[ISN] New Worm Targets Microsoft SQL Servers

From: InfoSec News (isnat_private)
Date: Wed Nov 21 2001 - 02:26:58 PST

  • Next message: InfoSec News: "[ISN] ACSAC Registration Extended at Early Registration Prices"

    By Brian McWilliams, Newsbytes
    20 Nov 2001, 3:37 PM CST
    A new Internet worm that targets poorly secured systems running
    Microsoft's SQL Server software is on the loose but unlikely to spread
    widely, security experts reported today.
    The worm, which has not yet been named, appears to target Microsoft
    SQL servers which have no password on the system administrator
    account, according to a preliminary analysis of the code by
    participants on Incidents, a mailing list for tracking computer
    When it finds a vulnerable system, the worm appears to install two
    Trojan horse programs that may be used by the worm's creator to
    control the server.
    The programs are downloaded by the worm to the victim server from an
    apparently compromised system registered to the Philadelphia Museum of
    Art. By this afternoon, the two files had been removed from the
    server, essentially sterilizing the worm, experts said.
    The worm also attempts to make a connection to an Internet relay chat
    server at Case Western Reserve University in Cleveland, to which it
    appears to send the address of the compromised machine as well as what
    may be a password.
    In addition to modifying the victim server's system registry to load
    the Trojan horse programs at boot-up, the worm appears to contain code
    that scans the Internet for other vulnerable servers on port 1433.
    The SQL worm's dependence on one site for obtaining files gives it a
    single point of failure, according to Marc Maiffret, chief hacking
    officer for eEye Digital Security.
    "It looks like it was rather poorly developed and therefore it will be
    rather trivial to stop this worm and track down whomever developed
    it," said Maiffret, who noted that the weak default password
    protection on Microsoft SQL Server 7.0 results in many system
    "I am surprised there has not been a worm that exploits this until
    now," he said.
    Microsoft officials were not immediately available for comment.
    Microsoft SQL Server is a relational database management system.
    According to Microsoft, the product is the most popular Web database,
    with a 68 percent market share.
    The Incidents list discussion of the SQL worm is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 15:29:13 PST