JS/SQLSpider-B

Discussion in 'malware problems & news' started by FanJ, May 22, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: JS/SQLSpider-B
    Type: JavaScript worm
    Date: 22 May 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    JS/SQLSpider-B is a JavaScript worm that infects computers
    running Microsoft SQL Server with blank "sa" (system
    administrator) passwords, stealing user passwords, network and
    database information.

    The worm spreads by scanning a range of IP addresses for this
    vulnerability and copying itself over to shares with
    administrator privileges. It adds the built-in guest account to
    the Domain Administrators and Local Administrators groups. This
    account can subsequently be used by an intruder to break into
    the network.

    The worm consists of the following files:

    SQLPROCESS.JS
    SQLDIR.JS
    SQLINSTALL.BAT
    SQLEXEC.JS

    JS/SQLSpider-B also copies the following non-viral files: (Note
    that the files named below are not detected by Sophos Anti-virus
    and must be manually removed from the infected computer.)

    RUN.JS
    SERVICES.EXE
    CLEMAIL.EXE (a legitimate program used to email stolen
    information to the virus writer)
    TIMER.DLL
    PWDUMP2.EXE
    SAMDUMP.DLL

    All these files are dropped in the Windows system32 folder,
    except SERVICES.EXE which is dropped in the Windows
    system32\drivers folder. All the files have the 'hidden'
    attribute set. To remove these files from the computer, locate,
    unhide and delete them. For TIMER.DLL the command
    windir%\system32regsvr32.exe /u TIMER.DLL" will additionally
    have to be run before deleting the file.

    On MSSQL Server version 7 installations, the worm also sets the
    registry entry
    HKLM\Software\Microsoft\MSSQLServer\Client\ConnectTo\DSQuery =
    "dbmssocn" to enable TCP/IP sockets communication between the
    MSSQL client machine and the MSSQL Server.

    The worm writes server database information, IP configuration
    information and password hashes to a file called send.txt and
    then uses clemail.exe to send the information to the virus
    writer's email address .


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/jssqlspiderb.html
     
    FanJ, May 22, 2002
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...