Reports of active scanning by the worm attacking SQL servers continued late Tuesday and early Wednesday, although the infection rate doesnt seem to be increasing.
The worm, variously called Spida or the SQLsnake, attempts to connect on TCP port 1433 to servers running Microsoft Corp.s SQL Server database software and then tries to log in as an administrator.
Internet newsgroups and security mailing lists have been buzzing with discussion of the worm, but there hasnt been any evidence that the worm is approaching anything like the infection rate of Code Red or Nimda.
The SANS Institute has posted a detailed analysis of the worm, which is written in JavaScript. The report can be found on the SANS site at http://www.incidents.org/diary/diary.php?id=157.