Related Resources • Virus Encyclopedia • Glossary of terms

From Other Guides • SQL Server Recovery • What is SQL Server?

Elsewhere on the Web • F-Secure Description • Securing SQL Server

A worm affecting systems running Microsoft SQL Server was reported on May 20, 2002 scanning port 1433, looking for empty SQL administrator passwords and compromising those found. Once compromised, the worm collects information about the system, including password hashes, and sends them via email, presumably to the virus author. A second worm does the same, but uses the guest account to its advantage by first enabling it and then adding it to the administrator group. After infection, the worm then removes the guest account in order to avoid detection. Dubbed SQLSpida, Digispid, or SqlSnake, these worms are similar to a worm Microsoft has dubbed "Voyager Alpha Force". That worm was initially discovered in January 2002.

Roger Thompson, Director of Malicious Code Research for TruSecure Corporation, first reported the presence of SQLSpida on May 19, 2002 when he noticed odd probes of port 1433 via his WormCatcher program. WormCatcher is designed to monitor activity on various ports, checksumming whatever it catches and reporting the results via email while blocking the probe from proceeding further. Roger began development of WormCatcher during the CodeRed and Nimda seige and the program continues to prove its effectiveness as an early warning forensic device.

SQLSpida scans a range of random IP addresses, bypassing private Class A networks beginning with 10, 127, 172, and 192. After ten systems have been located and infected, the worm removes itself from the initial host, with the ten newly infected continuing the process. Only SQL Servers with default administrator/guest accounts will be affected. Administrators can easily bypass this worm by changing the default port (1433) to a higher unused port. Additionally, default accounts should have access disabled, with alternate accounts created using strong password protection. According to antivirus vendor F-Secure, SQLSpida copies the following files to the Windows' System32 directory on the host that it infects:

Windows\System32 folder:
     sqlexec.exe/sqlexec.js (variant A/B respectively)
     clemail.exe
     sqlprocess.js
     sqlinstall.bat
     sqldir.js
     run.js
     timer.dll
     samdump.dll
     pwdump2.exe