Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
Late Friday, January 24, 2003 we became aware of a new SQL worm
spreading quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in
Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered
in July, 2002 by Next Generation Security Software Ltd. The buffer
overflow exists because of the way SQL improperly handles data sent
to its Microsoft SQL Monitor port. Attackers leveraging this
vulnerability will be executing their code as SYSTEM, since Microsoft
SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to
infect with its payload. The worm payload does not contain any
additional malicious content (in the form of backdoors etc.); however,
because of the nature of the worm and the speed at which it attempts
to re-infect systems, it can potentially create a denial-of-service attack
against infected networks.