W32/SQLSpider-A

Please read the instructions for removing worms.

W32/SQLSpider-A is an Internet worm that infects MSSQL Servers with no system administrator password. It steals NT-passwords and network information.

The worm spreads by scanning for installations with this vulnerability and copying itself over to shares with administrator privileges. It adds the inbuilt account "SQLAgentCmdExec" to the "Domain Admins" and local Administrators groups. This account can be subsequently used by an intruder to break into the network.

W32/SQLSpider-A consists of the following files: SQLPROCESS.JS, SQLDIR.JS, SQLINSTALL.BAT, SERVICES.EXE, SQLEXEC.EXE. Apart from the above files, it also copies over the following non-viral files: (Note that the files named below are not detected by Sophos Anti-virus and must be manually removed from the infected computer.) RUN.JS, CLEMAIL.EXE (a 30-day evaluation shareware program), TIMER.DLL, PWDUMP2.EXE, SAMDUMP.DLL. All these files are dropped in the Windows system32 directory, except SERVICES.EXE which is dropped in the Windows system32\drivers directory. All the files are have their hidden-attribute set.

To remove these files from the computer, locate, unhide and delete them. For TIMER.DLL the command "windir%\system32\regsvr32.exe /u TIMER.DLL", will additionally have to be run before deleting the file.

On MSSQL Server version 7 installations, the worm also adds or changes the key

HKLM\Software\Microsoft\MSSQLServer\Client\ConnectTo\DSQuery = "dbmssocn"

This is done to enable TCP/IP sockets communication between the MSSQL client machine and the MSSQL Server.