A new worm is targeting Web-connected Microsoft SQL server databases, yet the threat of infection for most shops...
JS/SQLSpider-B is a Java Script worm that targets SQL databases that have no set system administrator passwords. When found, the worm sets the password to a random name. It also copies some files to the system including a mail client. The worm's mission is to retrieve password information, database configurations and other IP addresses for spreading purposes.
Spider-B is made up of the following files:
The worm copies the following files to the system during infection including a mailing program:
All are copied to the Windows System32 folder except SERVICES.EXE is saved to the Systems32/drivers folder.
Spider-B finds database information, IP configurations and passwords and then saves them in a file, send.txt. CLEMAIL.EXE then sends the file to the virus writer's e-mail address, email@example.com.
Not a lot of shops will be vulnerable because Spider-B requires the database is connected to the Internet and have no set sys admin password. "More sophisticated companies wouldn't have such a situation," said Chris Wraight, technical consultant with Sophos.
Sophos has had no reports of the worm in the wild, but many inquiries about it.
Unlike Nimda and Code Red, Spider-B only spreads by scanning for IP addresses. In other words, it can't spread by e-mail or file shares. "It won't spread all over your network if you get it," Wraight said.
However, the worm will eat up system resources when scanning for other IP addresses to spread, ISS X-Force said in an alert. The worm can scan with 100 threads, which can bog down the network. Systems immune to the worm won't see any performance degradation even if it tries to spread to them.
For companies that fear they are vulnerable, blocking inbound port 1433 at the firewall will prevent the worm from entering, Wraight said. Likewise, blocking outbound traffic on the same port would prevent companies from spreading it.
Cleaning up an infection system can be pretty messy though the worm isn't destructive. Since the worm sets the password, users will be locked out of the system. They will likely have to reinstall SQL Server in addition to removing the copied files, Wraight said.