WORM: MS-SQL Registry Key Modification (3)
This signature detects attempts to send registry keys to TCP/1433 on Microsoft SQL Servers. This can indicate the presence of SQLsnake, a MSSQL worm. SQLsnake infects Microsoft SQL Servers that have SA (administrative) accounts without passwords. The worm sends a password list and other system information through email to ixltd@postone.com, then begins scanning for vulnerable hosts listening on TCP/1433 (the Microsoft SQL Server port).
Extended Description
SQLsnake is a worm that infects vulnerable Microsoft SQL Servers. It takes advantage of weak SQL server passwords to propagate. The worm e-mails the system user and SQL Server data to ixtld@postone.com.
Short Name
WORM:SQL-SNAKE:MSSQL-REG-3
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
(3) Key MS-SQL Modification Registry
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3324
Port
TCP/1433
False Positive
Unknown