Worm targets SQL server databases

Worm targets SQL server databases

A new worm is targeting Web-connected Microsoft SQL server databases, yet the threat of infection for most shops is minimal.

FOR MORE INFORMATION:
Best Web Links on denial-of-service attacks

Viruses Discussion Forum


Feedback on this story? Send your comments to Assistant News Editor Edward Hurley

JS/SQLSpider-B is a Java Script worm that targets SQL databases that have no set system administrator passwords. When found, the worm sets the password to a random name. It also copies some files to the system including a mail client. The worm's mission is to retrieve password information, database configurations and other IP addresses for spreading purposes.

Spider-B is made up of the following files:


SQLPROCESS.JS
SQLDIR.JS
SQLINSTALL.BAT
SQLEXEC.JS

The worm copies the following files to the system during infection including a mailing program:


RUN.JS
SERVICES.EXE
CLEMAIL.EXE
TIMER.DLL
PWDUMP2.EXE
SAMDUMP.DLL

All are copied to the Windows System32 folder except SERVICES.EXE is saved to the Systems32/drivers folder.

Spider-B finds database information, IP configurations and passwords and then saves them in a file, send.txt. CLEMAIL.EXE then sends the file to the virus writer's e-mail address, ixltd@postone.com.

Not a lot of shops will be vulnerable because Spider-B requires the database is connected to the Internet and have no set sys admin password. "More sophisticated companies wouldn't have such a situation," said Chris Wraight, technical consultant with Sophos.

Sophos has had no reports of the worm in the wild, but many inquiries about it.

Unlike Nimda and Code Red, Spider-B only spreads by scanning for IP addresses. In other words, it can't spread by e-mail or file shares. "It won't spread all over your network if you get it," Wraight said.

However, the worm will eat up system resources when scanning for other IP addresses to spread, ISS X-Force said in an alert. The worm can scan with 100 threads, which can bog down the network. Systems immune to the worm won't see any performance degradation even if it tries to spread to them.

For companies that fear they are vulnerable, blocking inbound port 1433 at the firewall will prevent the worm from entering, Wraight said. Likewise, blocking outbound traffic on the same port would prevent companies from spreading it.

Cleaning up an infection system can be pretty messy though the worm isn't destructive. Since the worm sets the password, users will be locked out of the system. They will likely have to reinstall SQL Server in addition to removing the copied files, Wraight said.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close