SQLSpida.A attempts to find machines running SQL Server with an empty
"sa" account, by scanning port 1433 from random IP address ranges. It
does not scan private Class A networks (10, 127, 172 and 192).
If a vulnerable machine is found, the worm will change both
"sqlagentcmdexec" and "sa" user passwords to same, random four
character password. "sqlagentcmdexec" user is also added to both local
Administrators and Domain Admins groups.
The worm also collects information about the machine, such as a dump
of password hashes from the system, and sends them via email, propably
to the virus writer.
It copies following files to Windows' System32 directory on the host
that it infects:
and the following file to Windows' System32\drivers directory:
Next the worm starts scanning random Class C networks. The worm will
scan until it has infected ten machines and it removes itself from the
SQLSpida.B is similar to .A variant.
Instead of using "sqlagentcmdexec" account, this variant enables the
"guest" account, sets its password and adds this account to both local
Administrators and Domain Admins groups. After the system has been
infected, the guest account is disabled and removed from administative
groups in order to hide traces of the worm.
This variant also sets the following registry key so, that it will be
executed in the system restart:
F-Secure Anti-Virus detects SQLSpida worm with the updates published
on May 22th, 2002:
[Analysis: Katrin Tocheva, Gergely Erdelyi, Mikko Hypponen and Sami Rautiainen, F-Secure Corp.; May 22nd, 2002]