The SQL worm infects by inserting itself into MSSQL database servers with no password protecting the SA System Administrator account. The worm executes commands on the vulnerable server using the xpcmdshell General Extended Procedure, and the commands it executes activate and configure the Windows Guest account so it can be used to copy files over to the vulnerable machine via Windows file sharing. After the files have been copied over, they are hidden and the worm goes into a cleanup phase. It deactivates the Guest account and changes the password for the SA account.

Address: 111 Theory, Suite 250, Irvine, California, 92617-3039, United States
Telephone: (949) 333-1900
Fax: (949) 333-1994
Website: http://research.eeye.com/html/advisories/published/AL20020522.html