virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME : JS/SQLSpida.a.worm




Virus Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable.

Once a SQL server has been accessed, the worm modifies the NT user "sqlagentcmdexec" by changing the password on that account, adding that user to the local administrators group and adds the user to the "Domain Admins" group.
The worm then writes several files to the compromised server and kicks off the propagation routine.


Symptoms

Presence of the following files:

  • %WinDir%\system32\drivers\services.exe
  • %WinDir%\system32\sqlexec.exe
  • %WinDir%\system32\clemail.exe
  • %WinDir%\system32\sqlprocess.js
  • %WinDir%\system32\sqlinstall.bat
  • %WinDir%\system32\sqldir.js
  • %WinDir%\system32\run.js
  • %WinDir%\system32\timer.dll
  • %WinDir%\system32\samdump.dll
  • %WinDir%\system32\pwdump2.exe
Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.


Method Of Infection

This worm uses several files to accomplish its task.

  • services.exe - A port scanning utility
  • sqlexec.exe - Establishes the SQL connection and initiates the xp_cmdshell commands.
  • clemail.exe - A command line SMTP emailer tool
  • sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the addresses: "system@digitalspider.org", system@hiddennet.org", "system@infinityspace.net. The worm attempts to delete the files that it created.
  • sqlinstall.bat - Creates the NT account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and activates SQLPROCESS.JS on the remote system.
  • sqldir.js - Tool to display database and table names
  • run.js - Shell run tool
  • timer.dll - Contains timer function
  • samdump.dll - Used by PWDUMP2.EXE
  • pwdump2.exe - Dumps the SAM database
The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:
  • A = random number [not equal to 10 or 127 or 172 or 192]
  • B = random number 0 - 255
  • C = 1-255
  • D = 1-254


 

 

 
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

McAfee, Inc
Online services
Mcafee removal
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners