Signature Detail
Short Name |
WORM:SQL-SNAKE:MSSQL-REG-1 |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
WORM |
Keywords |
SQL Snake |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
WORM: MS-SQL Registry Key Modification (1)
This signature detects attempts to send registry keys to TCP/1433 on Microsoft SQL Servers. This can indicate the presence of SQLsnake, a MSSQL worm. SQLsnake infects Microsoft SQL Servers that have SA (administrative) accounts without passwords. The worm sends a password list and other system information through e-mail to ixltd@postone.com, then begins scanning for vulnerable hosts listening on TCP/1433 (the Microsoft SQL Server port).
Extended Description
The SQL snake changes the administrator password and may cause a denial of service to both the SQL server and network that the server is on.
References