SQLSpida is a worm that spreads among machines running Microsoft SQL Server. The worm uses the default SQL Server system administrator account ("sa") with an empty password to infect the system.Note: Change the password on your SA account to a strong one and block access to your SQL server from the public internet.
Disinfection & Removal
SQLSpida.A attempts to find machines running SQL Server with an empty "sa" account, by scanning port 1433 from random IP address ranges. It does not scan private Class A networks (10, 127, 172 and 192).If a vulnerable machine is found, the worm will change both "sqlagentcmdexec" and "sa" user passwords to same, random four character password. "sqlagentcmdexec" user is also added to both local Administrators and Domain Admins groups.The worm also collects information about the machine, such as a dump of password hashes from the system, and sends them via email, propably to the virus writer.It copies following files to Windows' System32 directory on the host that it infects:
sqlexec.exe clemail.exe sqlprocess.js sqlinstall.bat sqldir.js run.js timer.dll samdump.dll pwdump2.exe
and the following file to Windows' System32\drivers directory:
Next the worm starts scanning random Class C networks. The worm will scan until it has infected ten machines and it removes itself from the host.
F-Secure Anti-Virus detects SQLSpida worm with the updates published
on May 22th, 2002:
Technical Details: Katrin Tocheva, Gergely Erdelyi, Mikko Hypponen and Sami Rautiainen, F-Secure Corp.; May 22nd, 2002