Microsoft SQL Worm Hits Thousands of Servers

By N-Stalker Team on May 22, 2002

A SQL exploit worm named SQLSnake or DoubleTap has been spotted infecting nearly 7,000 servers since early this week. A hybrid of executeable code, JavaScript, and batch files, it takes advantage of an old vulnerability in Microsoft SQL Server 7.0 and only works if there is no password on the administrator account.

The worm adds a guest account to the administrator group and changes the SQL admin password, before scanning for other exploitable systems. Although this isn’t the most widespread vulnerability, infected hosts have been generating hundreds of thousands of probe attempts to port 1433.

Incidents.Org has an analysis of the worm, and Microsoft has issued a security bulletin with more details on ensuring your server is safe.

Be sure to check out the SQLSnake Removal Utility, from our team, which scans your Windows system for SQLSnake.

This entry was posted in Previous Security Advisories. Bookmark the permalink.