JS/SQLSpider-B

Aliases	Digispid.B.Worm Spida
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

You should also remove the following files from your system.

From the Windows system32 folder:

RUN.JS
CLEMAIL.EXE
TIMER.DLL
PWDUMP2.EXE
SAMDUMP.DLL

From the Windows system32\drivers folder:

SERVICES.EXE

All these files have the 'hidden' attribute set. To remove these files from the computer, locate, unhide and delete them.

For TIMER.DLL the command "%windir%\system32\regsvr32.exe /u TIMER.DLL" will also need to be run before deleting the file.

More Information

Summary
Action
More Information

JS/SQLSpider-B is a JavaScript worm that infects computers running Microsoft SQL Server with blank "sa" (system administrator) passwords, stealing user passwords, network and database information.

The worm spreads by scanning a range of IP addresses for this vulnerability and copying itself over to shares with administrator privileges. It adds the built-in guest account to the Domain Administrators and Local Administrators groups.

The worm consists of the following files:

SQLPROCESS.JS
SQLDIR.JS
SQLINSTALL.BAT
SQLEXEC.JS

JS/SQLSpider-B also copies the following non-viral files: (Note that the files named below are not detected by Sophos Anti-Virus and must be manually removed from the infected computer.)

RUN.JS
SERVICES.EXE
CLEMAIL.EXE (a legitimate program used to email stolen information to the virus writer)
TIMER.DLL
PWDUMP2.EXE
SAMDUMP.DLL

All these files are dropped in the Windows system32 folder, except SERVICES.EXE which is dropped in the Windows system32\drivers folder. All the files have the 'hidden' attribute set. To remove these files from the computer, locate, unhide and delete them. For TIMER.DLL the command
"%windir%\system32\regsvr32.exe /u TIMER.DLL" will additionally have to be run before deleting the file.

On MSSQL Server version 7 installations, the worm also sets the registry entry

HKLM\Software\Microsoft\MSSQLServer\Client\ConnectTo\DSQuery = "dbmssocn"

to enable TCP/IP sockets communication between the MSSQL client machine and the MSSQL Server.

The worm writes server database information, IP configuration information and password hashes to a file called send.txt and then uses clemail.exe to send the information to the virus writer's email address.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

JS/SQLSpider-B

Summary

Action

More Information