virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME : JS/SQLSpida.b.worm



Virus Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable.

Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.
The worm then writes several files to the compromised server and kicks off the propagation routine.


Symptoms

Presence of the following files:

  • %WinDir%\system32\drivers\services.exe
  • %WinDir%\system32\sqlexec.js
  • %WinDir%\system32\clemail.exe
  • %WinDir%\system32\sqlprocess.js
  • %WinDir%\system32\sqlinstall.bat
  • %WinDir%\system32\sqldir.js
  • %WinDir%\system32\run.js
  • %WinDir%\system32\timer.dll
  • %WinDir%\system32\samdump.dll
  • %WinDir%\system32\pwdump2.exe

Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.


Method Of Infection

This worm uses several files to accomplish its task.

  • services.exe - A port scanning utility
  • sqlexec.js - Establishes the SQL connection and initiates the xp_cmdshell commands.
  • clemail.exe - A command line SMTP emailer tool
  • sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: xltd@postone.com
  • sqlinstall.bat - Modifies the NT guest account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and then deactivates the guest account, deletes the guest account from the local administrators group and deletes the guest account from the "Domain Admins" group, and finally calls SQLPROCESS.JS on the remote system.
  • sqldir.js - Tool to display database and table names
  • run.js - Shell run tool
  • timer.dll - Contains timer function
  • samdump.dll - Used by PWDUMP2.EXE
  • pwdump2.exe - Dumps the SAM database

The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:

  • A = random number [not equal to 10 or 127 or 172 or 192]
  • B = random number 0 - 255
  • C = 1-255
  • D = 1-254


 

 

 
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

symantec volume licensing

mcafee volume licensing
Online services
Mcafee clinic
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners