Douglas Brown discovered a new worm that targets Microsoft SQL Server
installations where the SQL Administrator password is blank (note that this is
the default configuration for SQL Server v7.0 and earlier). The worm logs in
using the Administrator account, then calls a command shell to FTP and install a
Trojan. The Trojan communicates with the attacker via IRC, where the attacker is
able to utilize the infected systems to launch Distributed Denial of Service
The original SecurityFocus Report: MS-SQL Worm?
SQL Server’s default behavior of blank admin password is a disaster. If you
want your network to be secure, automate a scan for port 1433, used by sql
server, and check for sa admin accounts with blank passwords. By using SQL’s
command shell, a hacker (if you are unlucky) or penetration tester (if you are
lucky) can take over the server. The extent of the exposure depends on what
account sql service is running under. Some sites run the service using a domain
admin account. Wonderful! If you can break the sa password, or if its blank, you
can use the command shell to create a new account and add it to the domain
administrator’s group. A blank sa password can expose the entire enterprise.