Content

JS/SQLSpida.b.worm

Type
Virus
SubType
Worm
Discovery Date
05/21/2002
Length
Varies
Minimum DAT
4204 (05/22/2002)
Updated DAT
4204 (05/22/2002)
Minimum Engine
5.1.00
Description Added
05/21/2002
Description Modified
05/22/2002 10:44 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable. For information on securing your SQL server see: SQL Server w/ Blank SA Password Opens Vulnerability to Worm

Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.

The worm then writes several files to the compromised server and kicks off the propagation routine.

Symptoms

Presence of the following files:

  • %WinDir%\system32\drivers\services.exe
  • %WinDir%\system32\sqlexec.js
  • %WinDir%\system32\clemail.exe
  • %WinDir%\system32\sqlprocess.js
  • %WinDir%\system32\sqlinstall.bat
  • %WinDir%\system32\sqldir.js
  • %WinDir%\system32\run.js
  • %WinDir%\system32\timer.dll
  • %WinDir%\system32\samdump.dll
  • %WinDir%\system32\pwdump2.exe
Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.

Method of Infection

This worm uses several files to accomplish its task.

  • services.exe - A port scanning utility
  • sqlexec.js - Establishes the SQL connection and initiates the xp_cmdshell commands.
  • clemail.exe - A command line SMTP emailer tool
  • sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: xltd@postone.com
  • sqlinstall.bat - Modifies the NT guest account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and then deactivates the guest account, deletes the guest account from the local administrators group and deletes the guest account from the "Domain Admins" group, and finally calls SQLPROCESS.JS on the remote system.
  • sqldir.js - Tool to display database and table names
  • run.js - Shell run tool
  • timer.dll - Contains timer function
  • samdump.dll - Used by PWDUMP2.EXE
  • pwdump2.exe - Dumps the SAM database
The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:

  • A = random number [not equal to 10 or 127 or 172 or 192]
  • B = random number 0 - 255
  • C = 1-255
  • D = 1-254

    • Removal

    Use current engine and DAT files for detection and removal.

    -- Manual Removal Instructions --
    Delete all files mentioned in the Symptoms section of this description.

    As this threat makes changes to NT user privileges, ensure that the desired privileges are reset on compromised servers.

    Securing your SQL server (see SQL Server w/ Blank SA Password Opens Vulnerability to Worm )

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • BAT_SQLSPIDA.B (Trend)
    • Digispid.B.Worm (Symantec)
    • JS.Spida.B (Symantec)
    • JS/SQLSpida.bat.b
    • JS/SQLSpida.js.b
    • JS_SQLSPIDA.B (Trend)
    • JScript/SQLSpida.Worm (CA)

    Characteristics

    Characteristics -

    This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable. For information on securing your SQL server see: SQL Server w/ Blank SA Password Opens Vulnerability to Worm

    Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.

    The worm then writes several files to the compromised server and kicks off the propagation routine.

    Symptoms

    Symptoms -

    Presence of the following files:

    • %WinDir%\system32\drivers\services.exe
    • %WinDir%\system32\sqlexec.js
    • %WinDir%\system32\clemail.exe
    • %WinDir%\system32\sqlprocess.js
    • %WinDir%\system32\sqlinstall.bat
    • %WinDir%\system32\sqldir.js
    • %WinDir%\system32\run.js
    • %WinDir%\system32\timer.dll
    • %WinDir%\system32\samdump.dll
    • %WinDir%\system32\pwdump2.exe
    Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.

    Method of Infection

    Method of Infection -

    This worm uses several files to accomplish its task.

    • services.exe - A port scanning utility
    • sqlexec.js - Establishes the SQL connection and initiates the xp_cmdshell commands.
    • clemail.exe - A command line SMTP emailer tool
    • sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: xltd@postone.com
    • sqlinstall.bat - Modifies the NT guest account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and then deactivates the guest account, deletes the guest account from the local administrators group and deletes the guest account from the "Domain Admins" group, and finally calls SQLPROCESS.JS on the remote system.
    • sqldir.js - Tool to display database and table names
    • run.js - Shell run tool
    • timer.dll - Contains timer function
    • samdump.dll - Used by PWDUMP2.EXE
    • pwdump2.exe - Dumps the SAM database
    The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

    IP = A.B.C.D where:

  • A = random number [not equal to 10 or 127 or 172 or 192]
  • B = random number 0 - 255
  • C = 1-255
  • D = 1-254

    • Removal -

    Removal -

    Use current engine and DAT files for detection and removal.

    -- Manual Removal Instructions --
    Delete all files mentioned in the Symptoms section of this description.

    As this threat makes changes to NT user privileges, ensure that the desired privileges are reset on compromised servers.

    Securing your SQL server (see SQL Server w/ Blank SA Password Opens Vulnerability to Worm )

    Variants

    Variants -

      N/A