Your essential free software toolbox

SHARE
THIS ON

JS.Spida.B

LOW

(N/A)

Symptoms

The virus infects SQL Servers with the following files in "system32" folder:
sqlexec.js - run commands on a remote system
sqlprocess.js - the main part of the virus
sqlinstall.bat - install the virus on a remote system
sqldir.js - connects and collects information from a remote SQL datebase
run.js - run a command.

The following tools are also copied with the virus:
clemail.exe - this is a tool for sending email
drivers\services.exe - a port scanner
timer.dll
samdump.dll - a pwdump2 component
pwdump2.exe- a tool that drops password hashes from a NT system.

The worm seeks and sends information from remote SQLServer databases to an email address.

Removal instructions:

1. Make sure that you have the latest updates using BitDefender Live!;

2. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt user for action"). Choose to delete all the files infected with JS.Spida.B.

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

The file "sqlprocess.js" installs itself as a service in order to run at the system restart. For that it writes the registry keys:
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\ImagePath"
with the value "cmd.exe /c start netdde && sqlprocess init" and
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetDDE\Start"
with the value "2".

It takes in the file "send.txt" information about local machine: IP addresses, local passwords (through pwdump2.exe tool) and information from local databases (through the file sqldir.js).

It sends the information collected from the local system to the email address "ixltd @ postone.com". It generates random IP addresses and tries to connect at this addresses, through the port 1433 (SQL Server connection).

If connection succeeds, it calls the batch file "sqlinstall.bat" with the successful IP address as an argument. The file "sqlinstall.bat" install the virus on the remote SQL Server. It copies the files
sqlexec.js
clemail.exe
sqlprocess.js
sqlinstall.bat
sqldir.js
run.js
drivers\services.exe
timer.dll
samdump.dll
pwdump2.exe to the remote "system32" folder.

It also modifies the user guest from the remote system. It deactivates the user guest and deletes it from the group "Local Admins" and the local group "Administrators".