|VIRUS NAME : JS/SQLSpida.b.worm
This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable.
Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.
The worm then writes several files to the compromised server and kicks off the propagation routine.
Presence of the following files:
Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.
Method Of Infection
This worm uses several files to accomplish its task.
services.exe - A port scanning utility
sqlexec.js - Establishes the SQL connection and initiates the xp_cmdshell commands.
clemail.exe - A command line SMTP emailer tool
sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: email@example.com
sqlinstall.bat - Modifies the NT guest account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and then deactivates the guest account, deletes the guest account from the local administrators group and deletes the guest account from the "Domain Admins" group, and finally calls SQLPROCESS.JS on the remote system.
sqldir.js - Tool to display database and table names
run.js - Shell run tool
timer.dll - Contains timer function
samdump.dll - Used by PWDUMP2.EXE
pwdump2.exe - Dumps the SAM database
The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:
IP = A.B.C.D where:
A = random number [not equal to 10 or 127 or 172 or 192]
B = random number 0 - 255
C = 1-255
D = 1-254