Win32.SQL.Slammer.376

Discussion in 'malware problems & news' started by SystemJunkie, Oct 20, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Just downloaded the latest DrWeb and now see this:

    http://img169.imageshack.us/img169/9958/sqlslammerrv6.png

    Damn, a bodyless virus, how is this possible, I don´t use sql server, where are all sql server files located on win xp pro?
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    HUH!? I don't use Dr Web so I'm not familiar with the program itself. Are you using Sygate Personal Firewall? That scan result is a false positive for sure.

    Why is Dr Web detecting Sygate Personal Firewall as a virus? You better contact dr web technical support for assistance and report this as a false positive.

    Also, read this: http://www.liutilities.com/products/wintaskspro/processlibrary/smc/
     
  3. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England

    Normally located here
    C:\WINDOWS\Microsoft.NET\Framework\v****

    various programs also use .sql files, if you do a search for .sql on your computer you will see all the locations
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    thanx for info, but nadira this is definitely not a false positive, because dr.web disinfected the virus directly in memory, it is a bodyless virus, that means it has no file, it comes as a network packet and resides in memory,
    in that case the virus infected smc.exe, that´s what I think and what dr.web shows.

    There is only one firewall that was also able to detect intrusions of sql slammer and guess what? No, not ZoneALarm, not Outpost, nonono........ Black ICE!

    Extraordinary phenomenon, I´ve never seen before.
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Actually it seems that it is a persistent virus, that means, with every reboot he is back.

    And now guess what? This thing is even there if I reinstall Windows, I noticed last year a sqlslammer Intrusion,
    when I tested Black ICE and it was a totally different Windows. Means it is either bios/hardware located or
    there´s a file infector in one of my files, but I scanned all files with nod32 and gdata, there was nothing dangerous shown.

    This time dr.wweb found three instances in memory and automatically disinfected them.

    http://i11.tinypic.com/2lvloo2.png
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I wonder what the number after smc.exe file means ("...smc.exe:992" and "...smc.exe:996")? Is it process ID? If so it should be possible to shut it down?

    Did you block port 1434 UDP in your firewall?

    What if you make sure that this port is blocked, then try "shutting" down the process (if what I wrote above is correct, go for the Process ID), then try a scan with Dr.Web?

    Also read here for more info.
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yeah well, smc.exe belongs to Sygate Personal Firewall for all I know. And the path shown in your screenshot points to none other than Sygate, it doesn't show any other program.

    What I like you to do is, since Dr Web is detecting some SQL virus in smc.exe, I kindly request you to submit smc.exe on your computer to a online virus scanner service and post the results back here. smc.exe belongs to Sygate.

    Go to www.sysinternals.com and download process explorer, post a screenshot after you've got it running. You never seem to have said whether you were using sygate personal firewall or not.

    Are you even using a firewall or not? If its coming via the network then the firewall should block it. SQL virus infected a firewall's process? Unbelievable.
    It has to be a false positive because Dr Web is an antivirus, smc.exe belongs to Sygate Personal Firewall.

    Why is Dr Web detecting a firewall as a virus? :blink: I don't trust the results which Dr Web found. It's absolutely ridiculous. This case needs more attention.

    All right, it disinfected the virus in memory. But which file is it saying the virus was located in? smc.exe? I can't believe it. This is why I want to know exactly which firewall you are using. Who says AVs don't make false positives sometimes?
     
    Last edited: Oct 21, 2006
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Windows doesn't assign the same PID all the time. Which is why to get more details, I requested systemjunkie to use Process Explorer and post a screenshot of it so we can see smc.exe on his system.
     

    Attached Files:

    Last edited: Oct 21, 2006
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    It should look something like this:
     

    Attached Files:

  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hello Nadirah!

    It was no false positive, I use Sygate Firewall and the different PIDs are the result of two different reboots..

    I downloaded the sqlslammer patch from Microsoft and everything is fine now.

    Dr.Web makes a lot false positives but SQL.SLammer really infected smc.exe in memory and without a file, this is called bodyless virus.

    According to DrWeb there are only two viruses in existence that are bodyless,
    one of them is SQL.Slammer.376, 376 stands for 376 bytes.

    This virus seems to spread through internet packets and then directly infect your memory. First seen in january 2003. The only thing you can do is to download microsoft patch, that´s what I done and evrything is fine now.

    DrWeb shows no more infections.
     
  11. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ok. Good.:thumb:
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is a procexp screen for you, in this context you could tell me your opinion of the version numbers of comres.dll and clbcatq.dll if they are legitimate. There is no description to see, usual or not?

    http://i14.tinypic.com/2cy2u7t.jpg
     
  13. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Microsoft has made it a habit to launch different SQL server versions. Many MS products use SQL server like engines. For example Active Directory, Windows Update, Exchange, etc.

    The product known as SQL server is the full engine with management software. The free version is known as MSDE and is shipped with many products that don't require the full licensed SQL server. You might be using products using MSDE, without knowing it. All MSDE versions are vulnerable to the same exploits as SQL server.

    With Windows Update Server (WSUS) Microsoft launched another SQL Server version knows as (W)MSDE. MSDE has a 2 GB storage limit and to accomodate WSUS WMSDE has a 4 GB storage limit.

    With the full SQL server product you can manage MSDE. Without the SQL server management software you have to use the osql or third party character based tools.

    With SQL 2005 MSDE has been renamed to SQL Server Express and now has a 4 GB data limit effectively replacing the temporary WMSDE version.

    All SQL database files have a .mdf file extension and log files have .log file extension.

    MS products using a sql server like engine usually have .edb file extensions for database files.

    Credits to Mark Minasi for explaining the differences between SQL, MSDE and Express in one of his monthly newsletters.
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks for info diginsight, the thing with sus I mentioned some times ago and in this context I still want to know if this registry entry is wsus related`?

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks

    Interesting that these edb files are MS Sql. I found only 3 on my system:

    C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
    C:\WINDOWS\system32\CatRoot2\tmp.edb
    C:\WINDOWS\pchealth\helpctr\Database\HCdata.edb
     
  15. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yes, they are legitimate. Confirmed it on my system here.
    They are located at X:\WINDOWS\System32
    If they are found in any other place then they are not legitimate. ;)
     
  16. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I'm not using (W)SUS and I also have this regkey on XP. It contains some values about the chipset.

    They are not ms sql, but use a similar engine. MS uses the .edb format for many purposes.
     
Thread Status:
Not open for further replies.