SQL Server Worm on the Loose

The worm began spreading Monday afternoon and is attacking servers running any version of Microsofts SQL Server database software, according to officials at SecurityFocus, a provider of threat management systems. The company first began seeing infections late Monday afternoon and has seen a total of about 1,400 to 1,600 so far, with new infections coming at the rate of about 100 per hour.

Riptech Inc., a managed security services provider based in Alexandria, Va., said it has seen a 100-fold increase in the number of unique IP addresses scanning for SQL machines in the past 24 hours.

The worm scans the Internet for machines running SQL Server that dont have a password specified. It then either takes a guest account or creates a new account and gives it administrative privileges. The worm then changes the password.

It also collects the IP addresses and whatever interface information about the network it can find, dumps the machines password file from the registry and sends it all in an e-mail to an account that SecurityFocus officials say the worms creator is likely monitoring.

Although the worm shares some characteristics with other notorious malicious programs such as Nimda and Code Red, experts say it is unlikely to spread as quickly or as broadly.

"There are a lot fewer SQL machines out there than there are machines running IIS [which both Nimda and Code Red attacked]," said Elias Levy, chief technology officer at SecurityFocus, based in San Mateo, Calif.

However, Levy pointed out that SQL is installed by several of Microsofts other back-office applications, so there may be a number of administrators who dont realize they have a machine running SQL.