22 May 2002 A new worm is attacking servers running Microsoft’s SQL Server 7.0. But companies running the server can protect themselves — by making sure the administrator password is not left blank.
Symantec, Network Associates and other security software companies have noticed a proliferation of the worm, dubbed SQLSnake, DoubleTap, and DigiSpid.B.Worm, since Monday. But the companies say the damage caused by the worm is unlikely to be serious.
When the worm infects a computer, it copies various files onto it, including a program that scans the Internet for other copies of SQL Server, and another that sends the server’s passwords to an email address set up by the worm’s writer.
But it can only attack copies of SQL Server 7.0, not SQL Server 2000 and only those that still have the default, blank administrator password. Microsoft also issued a patch in April that protects servers against the attack used by the worm.
Microsoft security specialist Mark Miller says the worm does not expose a new vulnerability: “It’s a case of not following best practices.” Companies are advised to check systems for inadvertant copies of SQL Server 7.0 and to forbid remote access to the MSSQL daemon.