TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
JS_SQLSPIDA.B
Overview
Solution
Technical Details

Size of malware: 4,249 Bytes

Initial samples received on: May 20, 2002

Related toBAT_SQLSPIDA.B, TROJ_SQLSPIDA.B

Payload 1: Changes passwords

Trigger condition 1: Upon execution

Details:
The Component Files
This worm is made up the following malware and normal files, which it drops in the target machine's Windows system directory:

  • %SysDir%\DRIVERS\SERVICES.EXE
  • %SysDir%\SQLEXEC.JS
  • %SysDir%\CLEMAIL.EXE
  • %SysDir%\SQLPROCESS.JS
  • %SysDir%\SQLINSTALL.BAT
  • %SysDir%\SQLDIR.JS
  • %SysDir%\RUN.JS
  • %SysDir%\TIMER.DLL
  • %SysDir%\SAMDUMP.DLL
  • %SysDir%\PWDUMP2.EXE

SQLPROCESS.JS is this JavaScript worm. It installs the component, TIMER.DLL, to ensure that it has the ability to sleep. To do this, it uses the tool, REGSVR32.EXE.

This worm then copies the file, REGEDT32.EXE, which is version 5.0.2147.1 of the Registry Editor, into the root directory of the current drive. It uses this tool as an infection marker, to avoid infecting the current server or reinfecting already infected servers.

Stealing Vital Information
First it deletes the file %SysDir%MSVER241.SRQ. It then saves network details of target machines to the file, SEND.TXT, using the "ipconfig /all" command. It appends the output of the tool, PWDUMP2.EXE, to the same file. This tool, together with the file, SAMDUMP.DLL, produces the list of user accounts present in the NT SAM Database and as well as their respective MD4 and Lanman password hashes. These information can be used with other third party tools to obtain the original password of the infected user.

This JavaScript worm uses the file, SQLDIR.JS, to retrieve contents of the SQL database on the compromised server. This information is also added to the file, SEND.TXT.

It then uses a third party email program, CLEMAIL.EXE, to send the SEND.TXT file to an email address, IXLDT@POSTONE.COM. This email message has the subject, "SystemData-<PASSWORD>". <PASSWORD> refers to the SQL server password of the user, “sa”, which is the default administrator name for SQL servers.

The command line email program is 30-day trial version software.

Finally, it deletes SEND.TXT and again deletes the file %SysDir%MSVER241.SRQ. The SRQ file is created and used by the email program to keep track of the number of days it has been installed in the system. The file is deleted the first time, so that in case the software has been installed previously, then the 30-day expiration date is reset to 30 days. It is deleted the second time so that in case the software has never been installed in system, then no traces of it being run in the infected computer exists.

Propagation Routine
During its propagation routine, this worm may connect to several infectable SQL servers. To prevent connections to machines in the same network from being restored at logon, JS_SQLSPIDA.B instructs the operating system to set subsequent persistent connections to false connections.

This malware begins its worm routine by generating random IP addresses. It then calls on the renamed tool, SERVICES.EXE, which Trend Micro detects as TROJ_SQLSPIDA.B, to connect to TCP port 1433 (SQL Server port) of machines located at these IP addresses. This worm uses 100 threads to access the specific port and sets the connection timeout to 10,000 milliseconds, increasing network traffic.

This worm avoids infecting IP addresses that begin with 10, 127, 172, or 192.

It then saves data returned by active ports, including their IP addresses, in the file, RDATA.TXT. It checks this data for the string, “1433/tcp”, which should precede IP address strings.

If this worm has obtained an IP address, it runs SQLINSTALL.BAT, which Trend Micro detects as BAT_SQLSPIDA.B, using the hacked IP address and a randomly generated password as parameters. This batch file installs this worm's component files into the target server.

BAT_SQLSPIDA.B uses the file, SQLEXEC.JS, to run functions that are executed as user ”sa”. This batch file malware component also executes this JavaScript malware, when it uses the component, RUN.JS, to run the malware file, SQLPROCESS.JS.

The worm then sleeps and waits to delete RDATA.TXT and generate a new IP address to access.

Additional Information
Trend Micro also detects, SQLEXEC.JS, SQLDIR.JS, and RUN.JS as JS_SQLSPIDA.B.


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.