Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses

virus file

VIRUS NAME : JS/SQLSpida.a.worm

VIRUS NAME : JS/SQLSpida.a.worm

Virus Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable.

Once a SQL server has been accessed, the worm modifies the NT user "sqlagentcmdexec" by changing the password on that account, adding that user to the local administrators group and adds the user to the "Domain Admins" group. The worm then writes several files to the compromised server and kicks off the propagation routine.

Presence of the following files:


Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.

Method Of Infection
This worm uses several files to accomplish its task.

services.exe - A port scanning utility
sqlexec.exe - Establishes the SQL connection and initiates the xp_cmdshell commands.
clemail.exe - A command line SMTP emailer tool
sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the addresses: "system@digitalspider.org", system@hiddennet.org", "system@infinityspace.net. The worm attempts to delete the files that it created.
sqlinstall.bat - Creates the NT account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and activates SQLPROCESS.JS on the remote system.
sqldir.js - Tool to display database and table names
run.js - Shell run tool
timer.dll - Contains timer function
samdump.dll - Used by PWDUMP2.EXE
pwdump2.exe - Dumps the SAM database

The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:
A = random number [not equal to 10 or 127 or 172 or 192]
B = random number 0 - 255
C = 1-255
D = 1-254

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.