Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses
Miscellaneous

virus file

VIRUS NAME : JS/SQLSpida.b.worm

VIRUS NAME : JS/SQLSpida.b.worm

Virus Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable.

Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group. The worm then writes several files to the compromised server and kicks off the propagation routine.

Symptoms
Presence of the following files:

%WinDir%\system32\drivers\services.exe
%WinDir%\system32\sqlexec.js
%WinDir%\system32\clemail.exe
%WinDir%\system32\sqlprocess.js
%WinDir%\system32\sqlinstall.bat
%WinDir%\system32\sqldir.js
%WinDir%\system32\run.js
%WinDir%\system32\timer.dll
%WinDir%\system32\samdump.dll
%WinDir%\system32\pwdump2.exe
Additional evidence of an infection may or may not exist. It is important to note that a system which shows signs of an infection has been compromised. Once compromised, an attacker can take control over the SQL server and execute additional shell commands on the server.

Method Of Infection
This worm uses several files to accomplish its task.

services.exe - A port scanning utility
sqlexec.js - Establishes the SQL connection and initiates the xp_cmdshell commands.
clemail.exe - A command line SMTP emailer tool
sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: xltd@postone.com
sqlinstall.bat - Modifies the NT guest account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and then deactivates the guest account, deletes the guest account from the local administrators group and deletes the guest account from the "Domain Admins" group, and finally calls SQLPROCESS.JS on the remote system.
sqldir.js - Tool to display database and table names
run.js - Shell run tool
timer.dll - Contains timer function
samdump.dll - Used by PWDUMP2.EXE
pwdump2.exe - Dumps the SAM database

The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:

A = random number [not equal to 10 or 127 or 172 or 192]
B = random number 0 - 255
C = 1-255
D = 1-254

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.