WORM: MS-SQL Registry Key Modification (1)

This signature detects attempts to send registry keys to TCP/1433 on Microsoft SQL Servers. This can indicate the presence of SQLsnake, a MSSQL worm. SQLsnake infects Microsoft SQL Servers that have SA (administrative) accounts without passwords. The worm sends a password list and other system information through e-mail to ixltd@postone.com, then begins scanning for vulnerable hosts listening on TCP/1433 (the Microsoft SQL Server port).

Extended Description

The SQL snake changes the administrator password and may cause a denial of service to both the SQL server and network that the server is on.

Short Name
WORM:SQL-SNAKE:MSSQL-REG-1
Severity
Minor
Recommended
False
Recommended Action
None
Category
WORM
Keywords
(1) Key MS-SQL Modification Registry
Release Date
04/22/2003
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3324
Port
TCP/1433
False Positive
Unknown

Found a potential security threat?