|
Microsoft SQL Server dnsservice.exe Worm
November 30, 2001
Summary:
A worm has been found in the wild which uses Microsoft SQL Server to spread.
This worm performs a SYN scan looking for any IP addresses listening on port
1433 (the default MSSQL port). When the worm finds a database with a blank
password for the sa account, it connect to the database. Once connected, the
worm uses the xp_cmdshell extended stored procedure to FTP a file called
dnsservice.exe to the local host and then executes the file. This file
performs several modifications to the registry and then attempts to
propagate to other databases.
A detailed analysis of the worm can be found at:
http://www.incidents.org/diary/diary.php?id=79
Fix:
Change the sa password on all Microsoft SQL Server to something other than
blank.
|
