SQLSnake Computer Virus

The SQLSnake Worm Computer Virus which is also known as the Spida worm, SQLSpida, and Digispid.B.Worm uses a brute-force password attack on the sa SQL Server administrator´s account. TCP port 1433 is commonly used by Microsoft SQL Database to accept queries. This bug is so aggressive that it can totally consume the computer CPU.

Signs that your computer SQL Server was targeted.

- Abnormally High CPU Utilization (lsass.exe sqlservr.exe)
- Stopping the MSSQL Service, see immediate drop in CPU Utilization.

When successful, the worm logs on with administrator access, giving the attacker the ability to read, write, and modify data, as well as run executable code.

Resolution of problem:

- Use Firewall to block port 1433
- Change default SQL Port to a different port number.

The SQLsnake code also appears to e-mail a list of passwords captured from the victim server to a free e-mail account hosted in Singapore. Within a few hours from its detection, more than 1,400 systems appear to have been compromised by the worm and are actively probing other servers. Potentially infected hosts are spread geographically, with the majority located in Korea, the United States, Canada, France, Taiwan and China, SecurityFocus reported yesterday.

Post your comments...

we should kill all virus writers. hang them by their balls untill death.
ferret
2/18/2007 1:11:15 PM - US | reply