Name: JS/SQLSpider-B Type: JavaScript worm Date: 22 May 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description: JS/SQLSpider-B is a JavaScript worm that infects computers running Microsoft SQL Server with blank "sa" (system administrator) passwords, stealing user passwords, network and database information. The worm spreads by scanning a range of IP addresses for this vulnerability and copying itself over to shares with administrator privileges. It adds the built-in guest account to the Domain Administrators and Local Administrators groups. This account can subsequently be used by an intruder to break into the network. The worm consists of the following files: SQLPROCESS.JS SQLDIR.JS SQLINSTALL.BAT SQLEXEC.JS JS/SQLSpider-B also copies the following non-viral files: (Note that the files named below are not detected by Sophos Anti-virus and must be manually removed from the infected computer.) RUN.JS SERVICES.EXE CLEMAIL.EXE (a legitimate program used to email stolen information to the virus writer) TIMER.DLL PWDUMP2.EXE SAMDUMP.DLL All these files are dropped in the Windows system32 folder, except SERVICES.EXE which is dropped in the Windows system32\drivers folder. All the files have the 'hidden' attribute set. To remove these files from the computer, locate, unhide and delete them. For TIMER.DLL the command windir%\system32regsvr32.exe /u TIMER.DLL" will additionally have to be run before deleting the file. On MSSQL Server version 7 installations, the worm also sets the registry entry HKLM\Software\Microsoft\MSSQLServer\Client\ConnectTo\DSQuery = "dbmssocn" to enable TCP/IP sockets communication between the MSSQL client machine and the MSSQL Server. The worm writes server database information, IP configuration information and password hashes to a file called send.txt and then uses clemail.exe to send the information to the virus writer's email address . Read the analysis at http://www.sophos.com/virusinfo/analyses/jssqlspiderb.html