An Internet-based worm is targeting Microsoft SQL Server systems where the password is left on default

A new worm that targets Microsoft SQL Server software has begun squirming through the Internet, according to experts.

Called DoubleTap by vulnerability analysis firm SecurityFocus, the worm has already managed to infect 1,600 servers that run the software, said Elias Levy, chief technology officer for the company. Despite the spread, Levy added that the virus shouldn't pose too much of an overall threat.

"We don't expect it to become widespread," he said.

The self-propagating program has also been named Spida.a.worm by antivirus firms Symantec and Network Associates and has been labelled SQLSnake by the Systems Administration Networking and Security (SANS) Institute. It has been infecting servers since Monday.

Even though SecurityFocus is currently tracking almost 100 infections per hour, the worm's only way to infect a system is if the Microsoft SQL Server system administrator password is left blank -- which is the default setting.

"If you follow standard practices (and change the password), then you should be golden," Levy said. Microsoft could not immediately comment on the worm or why a blank default password could be left on software that was newly installed.

Systems administrator and security experts first detected the worm because of the abnormal number of attempts to connect to port 1433, which is used by servers running Microsoft's SQL Server. Servers that haven't had a recent Microsoft bug fix applied could have their security cracked by the worm.

The DoubleTap worm is written in JavaScript, has two executable components and a batch file. Once it gets onto a system, it adds the guest account to the administrator group, giving the worm control of the system. It also changes the password of the SQL administrator so multiple infections won't occur.

The effects of the worm could be magnified by the fact that Microsoft's SQL Server software is included in many other complete software packages, such as e-commerce suites and Web site development bundles, Levy said.

"There are a lot of products that install (Microsoft) SQL as a component," he said, "and if the administrator does not know it, then that server is open."

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.