JS/SQLSpida Last Updated 5/23/01 1:30pm
This worm infects SQL servers that have a blank password for the default System Administrator account "SA". The worm looks for vulnerable SQL servers by scanning networks for machines listening on port 1433 .
Once the worm compromises a machine it changes the SA account password. The worm sends an email to xltd@postone.com containing information about the machine that it has compromised. This information may include accounts, passwords and database fields. The worm also uses the infected host to scan for other vulnerable machines to infect.
To prevent infection by the worm ensure any instance of SQL server does not have a blank SA account password and make sure your antivirus protection is up to date.
Inbound traffic to Port 1433 is being blocked by CIT except for authorized servers.
JS/SQLSpida is detected and removed by Netshield using the current Dat/Superdat 4204 or later.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.
