Threat Description

SQLSpida

Details

Aliases: SQLSpida, Worm.SQLSpida, SQLsnake, Digispid
Category: Malware
Type:
Platform: W32

Summary


SQLSpida is a worm that spreads among machines running Microsoft SQL Server. The worm uses the default SQL Server system administrator account ("sa") with an empty password to infect the system.Note: Change the password on your SA account to a strong one and block access to your SQL server from the public internet.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details



Variant:SQLSpida.A

SQLSpida.A attempts to find machines running SQL Server with an empty "sa" account, by scanning port 1433 from random IP address ranges. It does not scan private Class A networks (10, 127, 172 and 192).If a vulnerable machine is found, the worm will change both "sqlagentcmdexec" and "sa" user passwords to same, random four character password. "sqlagentcmdexec" user is also added to both local Administrators and Domain Admins groups.The worm also collects information about the machine, such as a dump of password hashes from the system, and sends them via email, propably to the virus writer.It copies following files to Windows' System32 directory on the host that it infects:

  sqlexec.exe     clemail.exe     sqlprocess.js     sqlinstall.bat     sqldir.js     run.js     timer.dll     samdump.dll     pwdump2.exe  

and the following file to Windows' System32\drivers directory:

  services.exe  

Next the worm starts scanning random Class C networks. The worm will scan until it has infected ten machines and it removes itself from the host.


Variant:SQLSpida.B

SQLSpida.B is similar to .A variant.Instead of using "sqlagentcmdexec" account, this variant enables the "guest" account, sets its password and adds this account to both local Administrators and Domain Admins groups. After the system has been infected, the guest account is disabled and removed from administative groups in order to hide traces of the worm.The file "sqlexec.exe" has been replaced with a JavaScript file "sqlexec.js".This variant also sets the following registry key so, that it will be executed in the system restart:

  HKLM\System\CurrentControlSet\Services\NetDDE\ImagePath  


Detection


F-Secure Anti-Virus detects SQLSpida worm with the updates published on May 22th, 2002:
Database: 2002-05-22_01



Technical Details:Katrin Tocheva, Gergely Erdelyi, Mikko Hypponen and Sami Rautiainen, F-Secure Corp.; May 22nd, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More