Details
Worm.SQL.Spida.b
SQL.Spida.b is a new version of the worm SQL.Spida.a. Unlike the previous variant, SQL.Spida.b became quite widespread especially in Far Eastern Asian countries.
When comparing “b” to “a”, “b” was improved not to use the sqlpoke clone, and instead uses a Java Script version of the exploit to run commands on vulnerable machines.
Also, the “b” variant does not add the extra sqlagentcmdexec account during the attack, but instead it enables the default guest login and gives it administrative priviledges.
The following comments can be seen in the worm code:

“// sqlprocess v2.5″
“// Greetings to whole Symantec anti-virus department.”

Related Posts

This entry was posted on Saturday, August 23rd, 2008 at 7:50 pm and is filed under Virus Threats.

Details
Worm.SQL.Spida.a

SQL.Spida.a is a computer worm that replicates between systems running Microsoft SQL Server software. The worm works by exploiting a weak password that is the default installation choice for the “sa” (system administrator) SQL account. It begins by scanning the Internet for machines running the MS SQL Service on the TCP port 1433 and then tries to initiate a connection with the server, logging into the “sa” account. If this succeeds, the worm adds a new Windows NT user namedall
sqlagentcmdexec
in the remote machine, sets a random password for the account and includes it in the Administrators and Domain Admins groups.
Next, the worm maps the administrative share from the remote machine and attempts to copy itself into the system32 subdirectory of the Windows installation folder. SQLSpida takes care to close the vulnerability that allowed it to infect the system by setting a non-empty password for the “sa” account, then it simply launches itself on the remote machine.
The following comments can be seen inside the worm code:

“SQL Access v2.0″ “Created 2001-2002 by Digital Spider”
Technical Details
To attack remote servers, the SQLSpida uses an exploit tool originally known as sqlpoke, which claims to be written by someone going by the handle Xaphan.
The main entry point for the worm is a Java Script file that generates random IP address classes, here it attempts to search for vulnerable machines with the modified sqlpoke tool. When a potentially vulnerable system is found, a batch file is run which connects to the remote machine and copies the worm code.
It’s also interesting to note that the worm attempts to collect both login passwords and list the databases from the SQL server, then mail them to one of the three possible addresses presumably belonging to the author.

Related Posts

This entry was posted on Saturday, August 23rd, 2008 at 3:50 pm and is filed under Virus Threats.