Spida Worm Infects SQL Servers

A new worm, Spida, is spreading across the Internet into Microsoft SQL Server systems. Spida infects SQL servers that have a blank systems administrator (sa) account password. The worm's primary action is to obtain a copy of the system's SAM database, which stores sensitive account information such as usernames and password hashes, and email the database to a recipient. The worm is written in JavaScript, batch files, and compiled executables and contains a scanner that searches for other SQL systems to infect. The scanner can create large amounts of network traffic because it can spawn up to 100 threads during its scanning operations.

Antivirus software vendors have updates available to clean the worm from infected systems. Networks with firewalls that guard against intrusion to SQL servers (port 1433) are protected against infection from external systems. Users need to check that their SQL servers don't have blank passwords related to any user account, including the sa account. In addition, Microsoft has an online document that helps users secure their SQL Server installations. Users need to review the document for any relevant configuration settings that might help protect their systems.