W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL. The worm sends 376 bytes to 1434/udp – the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately.
Symantec Security Response also recommends configuring perimeter devices to block 1434/udp traffic from untrusted hosts.
Symantec Security Response is currently developing a removal tool for W32.SQLExp.Worm. Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions. Customers are recommended to follow the measures described above in order to deal with this threat.
The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out.